News Items

In June, locals in New Orleans will have a chance to try the first craft beer created by an artificial intelligence (AI) platform. The beer was an experiment between The Australian Institute for Machine Learning (AIML) and Barossa Valley Brewing (BVB), founded by D'Silva. D'Silva stated that about 10 million people review beers every day. The researchers wanted to know what would happen if AI combed through the reviews and then manipulated the data to create a recipe. The producer would then use the recipe to create the beer. D'Silva stated that AI will make it easier for brewers to produce their products. It was noted that AI helps create the recipe, but the beer is still brewed manually. The researchers stated that AI will not replace the jobs of brewers. The AI beer will only be available in New Orleans for a limited time.

WGNO reports: "'Taste of The Future' First Artificial Intelligence-Created Craft Beer to be Released at NOLA Brewing"

Customers of a popular network-attached storage (NAS) vendor appear to be caught in the middle of two ransomware campaigns. Taiwanese manufacturer QNAP released an advisory late last week warning of a critical threat from the DeadBolt variant, which it said appeared to be targeting users running outdated versions of QTS 4.x. The company stated to secure your NAS, they strongly recommend updating QTS or QuTS hero to the latest version immediately. The company noted that if your NAS has already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then upgrade to the latest firmware version, and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page. Security researchers at G Data Malware have warned of a resurgent eCh0raix campaign targeting the same devices. The ransomware, also known as QNAPCrypt, is currently only being detected by 28 out of 58 vendors. This is not the first time that both variants have targeted QNAP devices. In May, the vendor warned that devices using weak passwords or outdated QTS firmware may be susceptible to attack. To avoid being compromised, the company advised customers to use stronger passwords for admin accounts, enable IP access protection to mitigate the risk of brute force attacks, avoid using ports 443 and 8080, and update QTS and all associated apps to the latest versions. In the same month, QNAP issued a separate advisory warning of an earlier DeadBolt campaign. DeadBolt also struck in January this year. Bud Broomhead, CEO at Viakoo, explained that around 10 out of CISA's 700+ listed known exploited vulnerabilities affect QNAP. Broomhead stated that QNAP devices are very attractive to cybercriminals whose strategy is to ask a large number of victims for a small amount of money, as opposed to a few victims being asked for large amounts. Broomhead noted that the $900 asked for as a ransom is at a level where many operators of the devices will choose to pay rather than get their IT or security teams involved.

Infosecurity reports: "QNAP Customers Hit by Double Ransomware Blitz"

The personal information of millions of individuals may have been stolen by adversaries due to a data breach at Eye Care Leaders. The Durham, North Carolina-based company, which sells eye care management software solutions, claims to work with more than 9,000 ophthalmologists and optometrists. At least 23 of these eye care providers have been impacted by a data breach that Eye Care Leaders disclosed in December 2021. The company took down the compromised systems within 24 hours after the breach was detected, but not before the attackers accessed databases and files containing patient records. Potentially compromised information included names, addresses, birth dates, gender, phone numbers, email addresses, driver's license numbers, health insurance information, medical record numbers, Social Security numbers, and eye care-related medical information. During the forensic investigation, it was revealed that the databases and files compromised as part of the incident did not include credit card or financial information. Approximately 2.2 million patients were potentially compromised in the Eye Care Leaders data breach. However, given the large number of customers the vendor claims to have, the number of impacted individuals could be much higher.

SecurityWeek reports: "Breach at Eye Care Software Vendor Hits Millions of Patients"

Scientists with the Chicago Quantum Exchange (CQE) at the University of Chicago's Pritzker School of Molecular Engineering have announced that they have connected the city of Chicago and suburban labs with a quantum network for the first time, almost doubling the length of what was one of the longest in the US. The Chicago network will be open to academia and industry soon, becoming one of the nation's first publicly available testbeds for quantum security technology. Currently, the network is actively operating quantum security protocols through the use of Toshiba technology, distributing quantum keys over fiber optic cable at a speed of more than 80,000 quantum bits per second between Chicago and the western suburbs. Toshiba's involvement in the initiative elevates the Chicago network to a one-of-a-kind collaboration involving academia, government, and industry. Researchers will use the Chicago network to test new communication devices, security protocols, and algorithms that will eventually connect distant quantum computers throughout the country and the world. The effort is the next step toward a national quantum internet, which will have far-reaching effects on communications, computation, and national security. This article continues to discuss the Chicago quantum network, how it makes an advancement towards a secure national quantum Internet, and how the rise of quantum computers presents a significant opportunity and threat.

UChicago reports "Chicago Expands and Activates Quantum Network, Taking Steps Toward a Secure Quantum Internet"

Security researchers at Rapid7 wanted to answer a research question they had which is "if your organization gets hit by a ransomware gang that has also managed to steal company data before hitting the encrypt button, which types of data are more likely to end up being disclosed as you debate internally on whether you should pay the ransomware gang off?" The researchers analyzed 161 data disclosures performed by ransomware gangs using the double extortion approach between April 2020 and February 2022. They found that the most commonly leaked data is financial (63%), followed by customer/patient data (48%). The researchers also found that files containing intellectual property (e.g., trade secrets, research data, etc.) are rarely disclosed (12%) by ransomware gangs, but if the organization is part of the pharmaceutical industry, the risk of IP data being disclosed is considerably higher (43%). The researchers noted that this is likely due to the high value placed on research and development within this industry. The researchers said that the data most disclosed depends on what sector is breached. The researchers found that victims in the financial services sector should mainly worry about customer data being released. It happened in 82% of the analyzed cases, while the average percentage for all disclosures across all sectors is 41%. The researchers noted that stolen employee PII and HR data, as well as finance and accounting data, are also leaked often (59% and 50%, respectively). The researchers stated that victims in the healthcare sector have their finance and accounting data leaked in 71% of cases and their customer and patient data leaked in 66% of cases. The researchers noted that organizations in the pharma sector should worry especially about their IP being released, as well as their finance and accounting data (71%). The researchers advise companies to make backups and ensure the data in them can be quickly restored. The researchers also noted that organizations should counter the data disclosure threat by using file encryption, rendering any files unreadable to unauthorized eyes, and to minimize attackers' movements via network segmentation.

Help Net Security reports: "Which Stolen Data Are Ransomware Gangs Most Likely to Disclose?"

Cybersecurity researchers at CloudSEK have discovered a new sophisticated phishing toolkit for sale across several cybercrime forums and Telegram channels. The researchers dubbed the toolkit "NakedPages." The toolkit was developed using NodeJS Framework, runs JavaScript code, is fully automated, and comes preloaded with over 50 phishing templates and site projects. One post on the cybercrime forum, viewed by the researchers, stated, "NakedPages is the phishing tool any serious developer/spammer needs with more features than any other reverse proxy combined or PHP phishing framework combined." The researchers stated that NakedPages is designed to work on Linux and asks for read, write, and execute permissions from the 'user' and further requests for read and execute permissions from both 'group' and 'others' in order to work. The toolkit also reportedly features fully-integrated and battle-based anti-bot functionalities, capable of detecting bots of different types from over 120 countries. Regarding the threat actor behind the new phishing toolkit, the researchers stated that it is a new user on GitHub and the cybercrime forum, with both accounts being less than a month old.

Infosecurity reports: "NakedPages Phishing Toolkit is Now Available on Cybercrime Forums"

Anker's primary smart home device hub, Eufy Homebase 2, was discovered to have three flaws, one of which was a severe Remote Code Execution (RCE) vulnerability. The Homebase 2 serves as a video storage and networking gateway for all of Anker's Eufy smart home products, including video doorbells, interior security cameras, alarm systems, smart locks, and more. Homebase is a central hub for Eufy devices, connecting to the cloud to enable services such as expanded product functionality and app-based remote control. According to Cisco Talos researchers, Homebase 2 has three potentially severe vulnerabilities that could lead to privacy intrusion, service interruption, and code execution. Before the flaws were made public, Cisco Talos notified Anker of the issues, allowing them time to address them with security upgrades. Anker addressed these security issues in April 2022 with firmware versions 3.1.8.7 and 3.1.8.7h. However, most Homebase 2 devices that have not had their firmware updated since purchase are still vulnerable to the exploitation of the discovered flaws. This article continues to discuss the potential exploitation and impact of the three security flaws found in the Eufy Homebase 2 smart home device hub.

CyberIntelMag reports "Severe Flaw in Anker Eufy Smart Home Hubs Makes Them Vulnerable to RCE Attacks"

WordPress websites that use the popular Ninja Forms plugin have been automatically updated to address a severe security vulnerability suspected of being actively abused in the wild. The problem, which involves a case of code injection, is rated 9.8 out of 10 in terms of severity and impacts various versions beginning with 3.0. Ninja Forms is a contact form builder with more than 1 million installs. The problem allowed unauthenticated attackers to call a limited number of methods in different Ninja Forms classes, including a method that unserialized user-supplied material, resulting in Object Injection. This could enable attackers to execute arbitrary code or delete arbitrary files on sites with a separate property-oriented programming chain, according to Wordfence's Chloe Chamberland. This article continues to discuss the potential exploitation and impact of the critical plugin vulnerability.

THN reports "Over a Million WordPress Sites Forcibly Updated to Patch a Critical Plugin Vulnerability"

Researchers at Chongqing University have boosted the privacy and protection of proprietary or other sensitive information during data mining without compromising the ability to discover useful patterns in huge datasets. Data mining is the discovery of patterns in enormous sets of data and the sharing of that information for useful purposes, which often involves Machine Learning (ML). Oftentimes, data mining hits a roadblock when such data patterns are proprietary, undermine privacy, or compromise security. However, such data sharing or publication pushes further discovery of useful patterns that benefit the owners of those datasets and society at large. This article continues to discuss the importance of data mining and the technique developed by the researchers to support association rule mining on published datasets while providing privacy for certain rules.

SCIENMAG reports "Sensitive Proprietary Patterns Discovered in Data Mining Given Privacy Boost"

Security researchers 451 Research found that 45% of businesses have experienced a cloud-based data breach or failed audit in the past 12 months, up 5% from the previous year, raising even greater concerns regarding protecting sensitive data from cybercriminals. The researchers noted that globally, cloud adoption and notably multicloud adoption remain on the rise. In 2021, organizations worldwide were using an average amount of 110 software as a service (SaaS) applications, compared with just eight in 2015, showcasing a startlingly rapid increase. The researchers stated that with increasing complexity of multicloud environments comes an even greater need for robust cybersecurity. When asked what percentage of their sensitive data is stored in the cloud, 66% of participants said between 21-60%. However, only 25% said they could fully classify all data. Additionally, 32% of respondents admitted having to issue a breach notification to a government agency, customer, partner, or employees. The respondents also reported an increasing prevalence of cyberattacks, with 26% citing an increase in malware, 25% in ransomware, and 19% reporting seeing an increase in phishing. The researchers stated that these findings should be a cause for concern among enterprises with sensitive data, particularly in highly regulated industries.

Help Net Security reports: "66% of Organizations Store 21%-60% of Their Sensitive Data in The Cloud"

According to researchers at Kaspersky, specialist hackers are selling access to enterprise networks for under $1000, thanks partly to a cybercrime underground flooded with compromised credentials. The researchers stated that the average cost for access to a large company's systems sits between $2000 and $4000. However, this can vary significantly depending on the target organization's revenue, sector, region, and type of access offered. Across the 200 dark web posts the researchers analyzed, 43% offered access for under $1000, with just 17% charging more than $5000. The researchers noted that the vast majority (75%) of posts were selling various types of RDP access. According to the researchers, the top three methods of gaining initial access to corporate networks are vulnerability exploitation, phishing, and obtaining legitimate credentials via stealer logs and password mining.

Infosecurity reports: "Corporate Network Access Selling for Under $1000 on Dark Web"

Security researchers at Lookout have analyzed a sophisticated Android spyware family that appears to have been created to serve nation-state customers. The spyware was dubbed Hermit and appears to be the first publicly identified mobile spyware developed by Italian vendor RCS Lab S.p.A. and Tykelab Srl, which claims to be a telecommunications solutions company, but which is likely a front company. Tykelab appears closely connected to RCS Lab, with its employees claiming on LinkedIn to be working at both companies. Active for three decades, RCS Lab appears to operate in the same market as Pegasus developer NSO Group and FinFisher creator Gamma Group. The researchers stated that the government of Kazakhstan currently uses Hermit to target entities within the country and has found evidence that Hermit was previously used by Italian authorities in 2019 and by an unknown actor in a predominantly Kurdish region of Syria. The researchers believe that the Android surveillanceware is being distributed via SMS messages that claim to come from legitimate sources. An iOS version of the threat also exists, but the researchers were unable to obtain a sample. The researchers stated that the spyware supports 25 modules, each with unique capabilities, to exploit rooted devices, make and redirect calls, record audio and take screenshots, and collect call logs, contacts, messages, browser data, photos, device location, and more. The researchers say they retrieved and analyzed 16 of these modules. The researchers noted that Hermit's modular design also allows it to hide its malicious intent through packages that are downloaded when needed. The initial application functions as a framework with minimal surveillance capability but can fetch modules and activate their functionality as instructed. One researcher stated that this approach "ensures that automated analysis of the app cannot find any of the spying functionality and makes even manual analysis significantly harder."

SecurityWeek reports: "Sophisticated Android Spyware 'Hermit' Used by Governments"

Security researchers at PIXM security have analyzed a well crafted phishing message sent via Facebook Messenger that ensnared 10 million Facebook users and counting. The researchers noted that the scam is still active and continues to push victims to a fake Facebook login page where victims are enticed to submit their Facebook credentials. The phishing campaign began last year and ramped up in September. The researchers assert the campaign is tied to a single person located in Colombia. The reason PIXM believes the massive Facebook scam is tied to a single individual is because each message links back to code "signed" with a reference to a personal website. The researchers stated that the crux of the phishing campaign centers around a fake Facebook login page. It might not look immediately suspicious, as it closely copies Facebook's user interface. The researchers noted that when a victim enters their credentials and clicks "Log In," those credentials are sent to the attacker's server. Then, the threat actor would login to that account and send out the link to the user's friends via Facebook Messenger. Any friends that click the link are brought to the fake login page. If they fall for it, the credential-stealing message is forwarded to their friends. Post-credential phish, victims are redirected to pages with advertisements, which in many instances also included surveys. The researchers noted that each of these pages generates referral revenue for the attacker. The researchers stated that the adversary of this campaign managed to circumvent the social media platform's security checks by utilizing a technique that Facebook missed. When a victim clicks on a malicious link in Messenger, the browser initiates a chain of redirects. The first redirect points to a legitimate "app deployment" service. After the user has clicked, the victim will be redirected to the actual phishing page. But, in terms of what lands on Facebook, it's a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well. The researchers were able to access the hacker's own pages for tracking the campaigns. The data indicated that nearly 2.8 million people fell for the scam in 2021 and 8.5 million have so far this year. The researchers warn that as long as these domains remain undetected by using legitimate services, these phishing tactics will continue to flourish.

Threatpost reports: "Facebook Messenger Scam Duped Millions"

A "dangerous piece of functionality" in the Microsoft 365 suite has been uncovered that might be used by a malicious actor to hold assets stored on SharePoint and OneDrive at ransom as well as execute attacks on cloud infrastructure. According to researchers at Proofpoint, the cloud ransomware attack allows file-encrypting malware to encrypt files saved on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key. In addition, the infection sequence can be carried out using a combination of Microsoft Application Programming Interfaces (APIs), command-line interface (CLI) scripts, and PowerShell scripts. The attack is based on a Microsoft 365 feature called AutoSave, which copies older file versions whenever users make changes to a file stored on OneDrive or SharePoint Online. It begins with getting unauthorized access to a target user's SharePoint Online or OneDrive account, which is then used to exfiltrate and encrypt contents. The three most popular ways for a malicious actor to gain an initial footing are to directly breach the account via phishing or brute-force attacks, trick a user into authorizing a rogue third-party OAuth application, or hijack a logged-in user's web session. This article continues to discuss how the Microsoft Office 365 feature can help cloud ransomware attacks.

THN reports "A Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files Hostage"

Citrix is advising users of its Application Delivery Management (ADM) solutions to update their systems to protect themselves from two newly discovered vulnerabilities tracked under CVE-2022-27511 and CVE-2022-27512. The first vulnerability could allow system corruption leading to the admin password being reset after reboot, while the second bug could enable a threat actor to temporarily disrupt the ADM license service. This article continues to discuss what the exploitation of the Citrix ADM vulnerabilities could allow malicious actors to do.

Dark Reading reports "Critical Citrix Bugs Impact All ADM Servers, Agents"

A team of researchers from North Carolina State University and Dokuz Eylul University demonstrated the first side-channel attack on homomorphic encryption, which could be used to leak data while the encryption process is in progress. They were not able to crack homomorphic encryption using mathematical tools, so they used side-channel attacks instead. They monitored power consumption in a device that is encoding data for homomorphic encryption in order to read the data as it is being encrypted, thus demonstrating that even next-generation encryption technologies are in need of protection against side-channel attacks. Their paper titled "RevEAL: Single-Trace Side-Channel Leakage of the SEAL Homomorphic Encryption Library" reveals a power-based side-channel leakage of Microsoft SEAL prior to version 3.6 that implements the Brakerski/Fan-Vercauteren (BFV) protocol. Microsoft has been a leader in homomorphic encryption, developing the SEAL Homomorphic Encryption Library to help the broader research community conduct homomorphic encryption research and development. SEAL versions 3.6 and later use a different sampling algorithm, according to the researchers, who warn that newer versions of the library may be vulnerable to another weakness. This article continues to discuss the team's demonstration of the first side-channel attack on homomorphic encryption.

Security Boulevard reports "Researchers Demonstrate They Can Steal Data During Homomorphic Encryption"

According to an investigation by Cybernews, free VPN software provider BeanVPN has reportedly left almost 20GB of connection logs accessible to the public. Cybernews stated that the cache of 18.5GB connection logs allegedly contained more than 25 million records, including user device and Play Service IDs, connection timestamps, IP addresses, and more. During a routine checkup, the researchers found the database using an ElasticSearch instance, which the company has reportedly closed. If picked up by malicious actors, the information could be exploited to de-anonymize and thus identify BeanVPN's users and their approximate location. The researchers stated that the Play Service ID could also be used to find out the user's email address that they are signed in to their device with. According to the BeanVPN website, its privacy policy clearly states they don't collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. The privacy policy also says BeanVPN does not collect IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations. Cybernews stated that BeanVPN is not following its privacy policy since the cache the researchers discovered contained all user data BeanVPN says it does not collect.

Infosecurity reports: "BeanVPN leaks 25 million user records"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory on protection against cyber threats backed by China. The agencies have seen People's Republic of China state-sponsored cyber actors exploiting publicly known vulnerabilities to construct a broad network of compromised infrastructure. Threat actors have targeted public and private sector institutions worldwide, launching massive campaigns that exploit common vulnerabilities and exposures (CVEs). Over the last few years, a number of high-severity network device vulnerabilities gave cybercriminals the ability to exploit and gain access to vulnerable infrastructure devices. Furthermore, cyber defenders often overlook these devices as they try to maintain and keep up with software patching of Internet-facing services and endpoint devices. The government agencies urge critical infrastructure organizations to ensure their products and systems are always patched. Organizations are also encouraged to immediately remove or isolate infected devices as well as segment networks to prevent lateral movement. This article continues to discuss key points made in the joint advisory pertaining to countering China-backed cyber threats.

HealthITSecurity reports "CISA, FBI, NSA Provide Tips for Countering China-Backed Cyber Threats"

Around March 2022, a new peer-to-peer botnet called Panchan emerged in the wild, mining cryptocurrencies on Linux computers in the education sector. Panchan is equipped with SSH worm functions such as dictionary attacks and SSH key abuse, allowing rapid lateral movement to workstations in the infiltrated network. It also offers powerful detection evasion features, such as employing memory-mapped miners and dynamically detecting process monitoring to promptly halt the mining module. According to Akamai, whose analysts discovered and studied the unique threat, the threat actor behind this new project is most likely Japanese. Panchan is written in Golang, a versatile programming language that allows for simpler targeting of various system architectures. It spreads to new hosts by discovering and exploiting existing SSH keys or brute-forcing usernames and passwords. Following success at this stage, Panchan creates a secret folder in which it hides itself under the name "xinetd." The malware then runs the binary and sends an HTTPS POST request to a Discord webhook, which is most likely used to watch the user. To maintain persistence, the malware copies itself to "/bin/systemd-worker" and establishes a new systemd service to begin after a reboot, masquerading as a normal system service. Akamai reverse-engineered the malware in order to map it and discovered 209 infected systems, 40 of which are still operational. This article continues to discuss recent findings regarding the Panchan peer-to-peer botnet and what creates ideal conditions for the botnet to expand.

Bleeping Computer reports "New Peer-To-Peer Botnet Panchan Infects Linux Servers With Cryptominers"

Security researchers at Digital Shadows Photon Research stated that passwordless technology might be one of the most hyped categories in cybersecurity at the moment, but the reality on the ground is that passwords are still widely entrenched and wildly insecure. The researchers recently discovered that some 24.6 billion complete sets of usernames and passwords are currently circulating in cybercriminal marketplaces as of this year. The researchers noted this number equates to four complete sets of credentials for every person on Earth and a 65% increase since the last time this study was conducted, in 2020. The researchers noted that within the data set of credentials on the Dark Web, approximately 6.7 billion of the offerings had a unique pairing of username and password, indicating that the combination was not duplicated across databases. That's 1.7 billion more than what researchers found in 2020. Many of the passwords examined in these stolen data stores were not very secure in the first place. The researchers stated that this is just one in a multitude of reasons why security advocates and technology-standards organizations have been pushing so hard for more usable passwordless technology across the globe. According to a recent Dark Reading report, only 26% of IT decision-makers said they work in a passwordless organization, and 87% admitted they had at least one credential category that still depended on passwords.

Dark Reading reports: "24+ Billion Credentials Circulating on the Dark Web in 2022 -- So Far"

Splunk recently announced the release of out-of-band patches that address multiple vulnerabilities across Splunk Enterprise, including a critical issue that could lead to arbitrary code execution. Splunk uses Splunk Enterprise deployment servers to distribute configurations and content updates to various Enterprise instances, including forwarders, indexers, and search heads. Tracked as CVE-2022-32158 (CVSS score of 9.0), the newly addressed critical-severity vulnerability exists because Splunk Enterprise deployment servers prior to version 9.0 allow clients to leverage the server to deploy forwarder bundles to other clients. Due to this issue, an attacker could compromise a Universal Forwarder endpoint and then abuse it to execute arbitrary code on other endpoints connected to the deployment server. Splunk has resolved the issue by releasing Enterprise deployment server version 9.0 and encourages customers to update their instances to this version or higher. This week, the company also announced that it has resolved multiple high-severity bugs in Splunk Enterprise, including one where deployment servers in versions before 9.0 allow for forwarder bundles to be downloaded without authentication (CVE-2022-32157). The researchers stated that to resolve this issue, customers need to update their deployment servers to version 9.0 and then configure authentication for deployment servers and clients, which ensures that only universal forwarder versions 9.0 and later can be managed. The researchers noted that although the vulnerability does not directly affect Universal Forwarders, remediation requires updating all Universal Forwarders that the deployment server manages to version 9.0 or higher prior to enabling the remediation. Splunk noted that these vulnerabilities do not impact the Splunk Cloud Platform (SCP) because it does not offer or use deployment servers. Splunk has also resolved multiple TLS certificate validation issues, which could result in machine-in-the-middle attacks or could allow for connections from peers or nodes without valid certificates to not fail by default. Splunk stated that customers should upgrade to Splunk Enterprise version 9.0 or higher to resolve all of these flaws. Splunk says it has no evidence of these vulnerabilities being exploited in attacks.

SecurityWeek reports: "Critical Code Execution Vulnerability Patched in Splunk Enterprise"

Security researchers at Imperva found that account takeover (ATO) attacks targeting the financial services sector surged 58% from April to May this year, raising fears that fraudsters are focusing more on buy now, pay later (BNPL) schemes. The researchers noted that BNPL has become increasingly popular as the cost of living has increased, enabling consumers to buy the products they want by splitting purchases into smaller, interest-free payments. The global market is predicted to be worth a staggering $4tn by 2030. However, the researchers warned that new and emerging sectors like BNPL are often favorite targets of fraudsters, as they may initially have gaps in security and regulation which can be exploited. The researchers stated that both ATO and new account fraud (NAF) could impact the BNPL sector. The researchers noted that an ATO occurs when a fraudster takes over an existing BNPL account and uses it to make unauthorized purchases. In a NAF context, fraudsters use stolen and synthetic data to create new fake BNPL accounts to make purchases.

Infosecurity reports: "BNPL Fraud Alert as Account Takeovers Surge"

According to MIT researchers, analog-to-digital converters contained by smart devices, which encode real-world signals from sensors into digital values that can be processed computationally, are vulnerable to electromagnetic side-channel attacks. A hacker could measure the analog-to-digital converter's power supply current and apply Machine Learning (ML) to reconstruct output data. In two new papers, the MIT researchers show that analog-to-digital converters are also vulnerable to a stealthier type of side-channel attack, and provide methods to efficiently block both attacks. When conducting a power side-channel attack, a malicious agent typically solders a resistor onto the device's circuit board to evaluate its power usage. A noninvasive electromagnetic side-channel assault, on the other hand, uses an electromagnetic probe capable of detecting electric current without touching the device. The researchers demonstrated that an electromagnetic side-channel attack on an analog-to-digital converter was just as successful as a power side-channel attack, even when the probe was held 1 centimeter away from the chip. A hacker might use this exploit to obtain sensitive data from an implantable medical device. To prevent these attacks, the researchers randomized the ADC conversion process. This article continues to discuss the methods developed by MIT researchers to protect analog-to-digital converters in smart devices from power and electromagnetic side-channel attacks.

MIT reports "Researchers Demonstrate Two Security Methods That Efficiently Protect Analog-To-Digital Converters From Powerful Attacks"

If cloud services weren't complicated enough for the typical business today to properly configure and secure, there's also a lesser-known layer of middleware that cloud providers run that can harbor hidden security flaws. Researchers from Wiz.io recently unveiled an open source cloud middleware database on GitHub that details the specific middleware agents that Amazon Web Services (AWS), Google, and Microsoft install on their cloud customers' virtual machines. The researchers aim to shine a light on this traditionally hidden proprietary software layer and its potential software flaws that can leave a cloud customer unknowingly at risk of attack. The researchers stated that cloud providers often silently install these "secret agent" middleware programs on their customers' virtual machines, with the highest privileges, as a "bridge" between their cloud services and their customers' VMs. The Cloud Middleware Dataset database project aims to provide cloud customers insight into this layer of software they rarely know exists on their virtual machines in a cloud service and the potential security risks associated with it. The researchers stated that these agents are adding an additional attack surface, and cloud customers don't know about those agents. If they come pre-installed, organizations have no idea.

Dark Reading reports: "Beware the 'Secret Agent' Cloud Middleware"