Cybersecurity Briefing | A Recap of Cybersecurity News in July 2023
by Alex Applegate on Aug 4, 2023 11:52:57 AM
Industry State of the Art
Standards & Advisories
CISA has developed and published a factsheet, Free Tools for Cloud Environments, to help businesses transitioning into a cloud environment identify proper tools and techniques necessary for the protection of critical assets and data security. Free Tools for Cloud Environments provides network defenders and incident response/analysts open-source tools, methods, and guidance for identifying, mitigating, and detecting cyber threats, known vulnerabilities, and anomalies while operating a cloud or hybrid environment.
Cloud service platforms and cloud service providers (CSPs) have developed built-in security capabilities for organizations to enhance security capabilities while operating in cloud environments. Organizations are encouraged to use the built-in security features from CSPs and to take advantage of free CISA- and partner-developed tools/applications to fill security gaps and complement existing security features.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) are releasing a joint Cybersecurity Advisory (CSA), Preventing Web Application Access Control Abuse, to warn vendors, designers, developers, and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities. These vulnerabilities are frequently exploited by malicious actors in data breach incidents and have resulted in the compromise of personal, financial, and health information of millions of users and consumers.
ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to review the CSA, Preventing Web Application Access Control Abuse, for best practices, recommendations, and mitigations to reduce the prevalence of IDOR vulnerabilities and ensure web applications are secure-by-design and -default.
‘Shadow IT’ (also known as ‘grey IT’) is the name given to those unknown IT assets used within an organization for business purposes.
Whilst often thought of in terms of rogue devices connected to the corporate network, shadow IT can also apply to cloud technologies or services. For example, if users are storing sensitive, enterprise data in their personal cloud accounts (perhaps to access the data from another location or device), then that’s also shadow IT. Most organizations will have some level of shadow IT, even if they don’t realize.
Whatever format it takes, if shadow IT is prevalent, then risk management becomes very difficult because your organization won’t have a full understanding of what you want to protect. To help with this, the NCSC has published new guidance that shines a light on shadow IT. The guidance helps system owners and technical staff to better mitigate the presence of unknown (and therefore unmanaged) IT assets within their organization.
The FBI is paying increased attention to foreign adversaries’ attempts to utilize artificial intelligence as part of influence campaigns and other malicious activity, as well as their interest in tainting commercial AI software and stealing aspects of the emerging technology, a senior official said Friday.
The two main risks the bureau sees are “model misalignment” — or tilting AI software toward undesirable results during development or deployment — and the direct “misuse of AI” to assist in other operations, said the official, who spoke on the condition of anonymity during a conference call with reporters.
The official said foreign actors are “increasingly targeting and collecting against U.S. companies, universities and government research facilities for AI advancements,” such as algorithms, data expertise, computing infrastructure and even people.
As more organizations rely on the automation and scale that web applications and connected services provide, application programming interface (API) security has become imperative. In just the last year alone, unique attackers targeting customer APIs grew by 400%, proving that organizations must take a proactive approach to secure these increasingly valuable services.
But considering the rapidly evolving nature of API technology and the growing number of threats, knowing where and how to start securing APIs can be overwhelming. Fortunately, organizations like the Open Web Application Security Project (OWASP) have been working hard to identify the most common and dangerous API security risks that businesses should prioritize.
Legislation & Regulatory
Federal agency information systems and national critical infrastructure are vulnerable to cyberattacks.
This Snapshot covers the status of the National Cybersecurity Strategy. The strategy's goals and strategic objectives provide a good foundation, but the Administration needs to establish specific objectives and performance measures, resource requirements, and roles and responsibilities.
The US government on Tuesday added commercial spyware makers Intellexa and Cytrox to its Entity List, saying the duo are a possible threat to national security.
According to the Feds, Greece's Intellexa SA, Ireland's Intellexa Limited, North Macedonia's Cytrox AD, and Hungary's Cytrox Holdings are allied companies that developed and sold software that could be used by clients to infect and monitor other people's electronic devices and equipment. This "is acting contrary to the national security or foreign policy interests of the United States," as the US Dept of Commerce put it.
Adding Intellexa and Cytrox to the Entity List places export restrictions on the software vendors as part of the Biden administration's ongoing crackdown against commercial surveillance technology. It is now impossible for US organizations to do business legally with those placed on the list without special permission from Uncle Sam; the list effectively cuts off Intellexa et al from America.
The new U.S. Cyber Trust Mark program was proposed by Federal Communications Commission Chairwoman Jessica Rosenworcel will help consumers make informed purchasing decisions and identify products in the marketplace with higher cybersecurity standards, the White House said.
The administration said several major electronics, appliance and consumer product manufacturers, retailers and trade associations have made voluntary commitments to increase cybersecurity for the products they sell. Participants include Amazon, Best Buy, Google, LG Electronics USA, Logitech and Samsung Electronics.
The proposed law enables companies to apply the shield logo after meeting established cybersecurity criteria. "The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes," the administration said.
Experts are ringing the alarm bells over the risks unfettered development of artificial intelligence (AI) technology could pose to humanity. Enter the European Union (EU), already a leader in data protection and privacy rights, where the EU Parliament has agreed on a law governing AI technology.
Jonathan Dambrot, CEO of Cranium, says it's not surprising that the EU, once again, has taken the lead on tech regulation.
"We saw this with GDPR and data privacy, and now we're seeing the same with AI," he says.
While the text of the so-called AI Act will likely undergo further refinements and modifications, steady progress on the law indicates governments are stepping up to the challenge of harnessing — or attempting to harness — a technology that has come to dominate headlines in a few short months.
Even as security companies continue releasing products and features that leverage advanced artificial intelligence (AI), researchers continue to warn about the security holes and dangers such technology creates. To help formulate guidance on how to implement generative AI in particular more safely, the National Institute of Standards and Technology (NIST) announced the formation of a new working group.
Following January's release of the AI Risk Management Framework (AI RMF 1.0) and the March debut of the Trustworthy and Responsible AI Resource Center, NIST launched the Public Working Group on Generative AI on June 22 to address how to apply the framework to new systems and applications. The group will begin its work by developing a profile for AI use cases, then move on to testing generative AI, and finish up by evaluating how it can be used to address global issues in health, climate change, and other environmental concerns.
Generative AI has been a source of experimentation, concern, and intense business interest lately, especially since the launch of ChatGPT in November brought the state of the art into the public eye. To ensure that the working group takes the current temperature of the developer and security community, NIST said it will be joining the AI Village at DEF CON 2023 in Las Vegas on Aug. 11.
“With riots rocking the country, French parliamentarians have passed a bill granting law enforcement the right to snoop on suspects via "the remote activation of an electronic device without the knowledge or consent of its owner."
That's the direct (via machine translation) language used in the French Senate's version of a justice reform bill passed earlier. According to French publication Le Monde, The French General Assembly just passed their version, albeit with a few amendments that will require the Senate to OK the changes before it can become law.
Under the provision, French police will have the right to activate cameras and microphones remotely, as well as gathering location data from devices belonging to suspects accused of committing crimes that are punishable by at least five years in jail. Police can gather data in that manner for up to six months, and any connected device – smartphones, laptops and even automobiles – can be used for surveillance.
Per Le Monde, lawmakers from French president Emmanuel Macron's Renaissance party added several amendments to what's been dubbed the "snoopers' charter" – requiring remote spying only be used "when justified by the nature and seriousness of the crime," and even then only for a "strict and proportional" length of time. Professions considered sensitive, including doctors, journalists, lawyers, judges and – of course – MPs can't be targeted under the law as passed by the General Assembly.
The U.S. Securities and Exchange Commission has adopted new rules requiring publicly traded companies to disclose cyberattacks within four business days after determining they're material incidents.
According to the Wall Street watchdog, material incidents are those that a public company's shareholders would consider important "in making an investment decision."
The SEC also adopted new regulations mandating foreign private issuers to provide equivalent disclosures following cybersecurity breaches.
An Irish civil liberties group went to court late this week to accuse the Irish Data Protection Commission (DPC) — the national independent authority responsible for upholding data privacy rights across Europe — of failing to properly investigate Google’s online advertising system, which it says is responsible for the biggest data breach ever recorded.
Because of the DPC’s position as an arbiter for data privacy practices across Europe, the court’s decision in the case, expected later this year, could potentially have a significant impact on online advertising practices worldwide.
The Irish Council for Civil Liberties (ICCL) has asked the Irish High Court to force the DPC to investigate the Google system, which produces personalized ads that populate millions of websites. ICCL says the technology often harvests deeply sensitive personal data that Google then sells to advertisers targeting individuals worldwide.
Johnny Ryan, an ICCL senior fellow and “real-time bidding” expert who once worked in the industry, is the plaintiff in the case, which the Irish High Court is expected to rule on later this year. Ryan first brought his claims to the DPC in 2017 and submitted a formal European General Data Protection Regulation complaint in 2018, ICCL said in a statement.
Mergers, Acquisitions, Funding, Partnerships
News with some relation to DNSFilter or its products
One component of computer security research assesses the effectiveness of machine learning models to create automation to detect or block malicious activity, and protective DNS is no exception. However, it is common practice for researchers to employ Top Domain Lists as the sole source for benign domains when training machine learning algorithms. Top Domain Lists are lists of domains compiled by technology companies that measure, in some specific sense, how “popular” a domain is. The most common example of a Top Domain List is the now-deprecated Amazon Alexa Top 1 Million. Now that Alexa has been deprecated, we hope that computer security researchers will shift their labeling strategies to using more representative methods; however, we fear that, instead, researchers will simply shift to alternative Top Domain Lists. This article is aimed at persuading computer security researchers to adopt a more representative methodology.
Artificial intelligence is enjoying a bit of what appears to be a golden era recently, but it’s not always a good thing, and sometimes, it willfully lies to you.
Today we had an incident that lasted for approximately one hour in the NYC region. I wanted to take the time to address this incident and review what happened, why it happened, what we did to resolve it, and what we’re doing to prevent future issues like this.
General highlights of significant events
General Industry News
Instagram Threads, the upcoming Twitter competitor from Meta, will not be launched in the European Union due to privacy concerns, according to Ireland's Data Protection Commission (DPC).
The development was reported by the Irish Independent, which said the watchdog has been in contact with the social media giant about the new product and confirmed the release won't extend to the E.U. "at this point."
Threads is Meta's answer to Twitter that's set for launch on July 6, 2023. It's billed as a "text-based conversation app" that allows Instagram users to "discuss everything from the topics you care about today to what'll be trending tomorrow."
Anyway, just a few short hours after advising everyone to get iOS and iPadOS 16.5.1 (a), because it fixes a zero-day exploit in Apple’s WebKit code and could therefore almost certainly be abused for malware nastinesses such as implanting spyware or grabbing private data from your phone…
…commenters (special thanks to John Michael Leslie, who posted on our Facebook page) started reporting that the update was no longer showing up when they used Settings > General > Software Update to try to update their devices.
Apple’s own security portal still lists [2023-07-11T15:00:00Z] the most recent updates as macOS 13.4.1 (a) and iOS/iPadOS 16.5.1 (a), dated 2023-07-10, with no notes about whether they’ve officially been suspended or not.
But reports via the MacRumors site suggest that the updates have been withdrawn for the time being.
Ukrainian cops have disrupted a massive bot farm with more than 100 operators allegedly spreading fake news about the Russian invasion, leaking personal information belonging to Ukrainian citizens, and instigating fraud schemes.
After conducting 21 searches, the country's cyber and national police seized computer equipment, mobile phones, more than 250 GSM gateways, and about 150,000 SIM cards.
"The Cyber Police established that the attackers used special equipment and software to register thousands of bot accounts in various social networks and subsequently launch advertisements that violated the norms and legislation of Ukraine," according to machine translation of the news alert issued by the police.
Insiders in Vinnytsia, Zaporizhzhia, and Lviv were involved in the bot farm, we're told. Law enforcement are pursuing charges of interference with electronic communications, unauthorized sale of information stored on computers, and knowingly spreading false notifications about safety threats. Investigations remain ongoing.
The U.S. Justice Department and the Federal Trade Commission (FTC) announced that Amazon has agreed to pay a $25 million fine to settle alleged children's privacy laws violations related to the company's Alexa voice assistant service.
Amazon has offered Alexa voice-activated products and services targeted at children under 13 years old since May 2018.
In May 2023, the Federal Trade Commission (FTC) and the U.S. Department of Justice (DOJ) filed charges against Amazon, accusing the company of violating children's privacy laws, which include the FTC Act, the Children's Online Privacy Protection Act (COPPA), and the COPPA Rule.
The charges were brought after Amazon failed to comply with parents' requests to delete their children's voice recordings and geolocation information.
According to the complaint, Amazon "failed for a significant period of time to honor parents' requests that it delete their children's voice recordings by continuing to retain the transcripts of those recordings and failing to disclose that it was doing so, also in violation of COPPA."
Furthermore, the company should have deleted users' voice information and geolocation data upon request but instead chose to retain that information for its potential use.
Amazon also faces a $5 million fine for privacy violations associated with its Ring video doorbell service.
Google has announced that it intends to add support for Message Layer Security (MLS) to its Messages service for Android and open source an implementation of the specification.
"Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but users today are limited to communicating with contacts who use the same platform," Giles Hogben, privacy engineering director at Google, said. "This is why Google is strongly supportive of regulatory efforts that require interoperability for large end-to-end messaging platforms."
The development comes as the Internet Engineering Task Force (IETF) released the core specification of the Messaging Layer Security (MLS) protocol as a Request for Comments (RFC 9420).
Some of the other major companies that have thrown their weight behind the protocol are Amazon Web Services (AWS) Wickr, Cisco, Cloudflare, The Matrix.org Foundation, Mozilla, Phoenix R&D, and Wire. Notably missing from the list is Apple, which offers iMessage.
A Chinese cyber-espionage campaign revealed by Microsoft last week compromised the government email account of the US ambassador to China and other officials, a new report has claimed.
Citing people familiar with the matter, the Wall Street Journal revealed that the account of Nicholas Burns and Daniel Kritenbrink, the assistant secretary of state for East Asia, were among those compromised in the attacks.
They join Commerce Department secretary, Gina Raimondo, as the highest-profile victims thus far of the campaign, which Microsoft attributed to the Beijing-linked Storm-0558 group.
In a post on the dark web forum Dread, an administrator of ASAP has announced that the marketplace (one of the biggest on the dark web) will soon be closing and has urged users to withdraw their coins as soon as possible.
AhnLab Security Emergency response Center (ASEC) has confirmed instances where DNS TXT records were being utilized during the execution process of malware.
This is considered meaningful from various perspectives, including analysis and detection as this method has not been widely utilized as a means of executing malware.
DNS TXT record is a feature that allows domain administrators to input text into the DNS. Originally intended for the purpose of entering human-readable notes, the DNS TXT record is now being used to display various types of information saved in the DNS, such as spam email prevention, domain ownership verification, and more.
Mastodon, the free and open-source decentralized social networking platform, has patched four vulnerabilities, one of them critical that allows hackers to create arbitrary files on the server using specially crafted media files.
Mastodon has about 8.8 million users spread across 13,000 separate servers (instances) hosted by volunteers to support distinct yet inter-connected (federated) communities.
All the four issues fixed were discovered by independent auditors at Cure53, a company that provides penetration testing for online services. The auditors inspected Mastodon's code at Mozilla's request.
The foundational Domain Name System, essentially the phone book for the internet, used to be something nobody using the net much noticed, but lately it has become more of a target, and the cost of attacks against it are huge and growing.
Recent events have once again brought issues involving the DNS, as it’s called for short, to the forefront. A new kind of denial-of-service attack called Water Torture is the most recent, but earlier this year has seen other DNS-based attacks on Telsa’s network in January and a new malware toolkit called Decoy Dog that targeted business networks.
One reason has to do with the expansion of the internet. There are more targets, more bandwidth and more automated tools to launch attacks, making it easier for the bad guys to cast a wider net with more destructive power.
The DNS protocol is essential to almost every internet service and is used to translate alphabetic domain names, such as SiliconANGLE.com, and a set of numerical internet protocol addresses, such as like 126.96.36.199, back and forth so that they have meaning both for humans and for machines and software.
It's hard to believe that despite so much manpower, time, and money dedicated to the cybersecurity industry, an entire class of vulnerability can fly under the radar. But researchers from Forescout argue that exactly this has happened with regard to flaws in Border Gateway Protocol (BGP) implementations.
Few technologies are more central to the Internet than BGP, which manages how packets of data get transmitted between networks. Its position in the global Web has earned it attention from state-level actors, the security community, and three-letter agencies.
However, most of the focus thus far, from every side, has been on the protocol itself, which is a problem. "When people go way too deep into one thing, they might leave a blind spot behind," warns Forescout researcher Daniel dos Santos, who will demonstrate several such blind spots in a presentation at next month's Black Hat USA.
Supply Chain Attacks
Threat actors are taking advantage of Android's WebAPK technology to trick unsuspecting users into installing malicious web apps on Android phones that are designed to capture sensitive personal information.
"The attack began with victims receiving SMS messages suggesting the need to update a mobile banking application," researchers from CSIRT KNF said in an analysis released last week. "The link contained in the message led to a site that used WebAPK technology to install a malicious application on the victim's device."
The application impersonates PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. Details of the campaign were first shared by Polish cybersecurity firm RIFFSEC.
WebAPK allows users to install progressive web apps (PWAs) to their home screen on Android devices without having to use the Google Play Store.
Supply chain executives significantly overestimate stakeholder trust in their supply chain capabilities and intentions, according to Deloitte.
Of more than 1,000 executives from large global organizations surveyed, 89% on average who self-identified as leading suppliers said customers trust their supply chain operations, compared to just 68% on average of roughly 500 customers who said the same.
In looking more closely at the divide between executives self-identifying as leading suppliers versus customer perceptions of supplier trust, the gap was highest when measuring reliability in supply chains (25% gap; leading suppliers = 90%, customers = 65%), followed by humanity (e.g., treating workers, customers and other partners fairly and with respect; 24% gap, leading suppliers = 91%, customers = 67%), transparency (22% gap; leading suppliers = 85%, customers = 63%) and capability (e.g., ability to maintain operational consistency; 16% gap, leading suppliers = 91%, customers = 75%).
A critical design flaw in the Google Cloud Build service discovered by cloud security firm Orca Security can let attackers escalate privileges, providing them with almost nearly-full and unauthorized access to Google Artifact Registry code repositories.
Dubbed Bad.Build, this flaw could enable the threat actors to impersonate the service account for the Google Cloud Build managed continuous integration and delivery (CI/CD) service to run API calls against the artifact registry and take control over application images.
This allows them to inject malicious code, resulting in vulnerable applications and potential supply chain attacks after deploying the malicious applications within customers' environments.
In two separate incidents, threat actors recently tried to introduce malware into the software development environment at two different banks via poisoned packages on the Node Package Manager (npm) registry.
Researchers at Checkmarx who observed the attacks believe them to be the first instances of adversaries targeting banks through the open source software supply chain. In a report this week, the vendor described the two attacks as part of larger trend they have observed recently where banks have been the specific targets.
As artificial intelligence (AI) captivates the hearts and minds of business and technology executives eager to generate rapid gains from generative AI, security leaders are scrambling. Seemingly overnight, they’re being called to assess a whole new set of risks from a technology that is in its infancy.
Many are being called on to develop policies for emerging use cases of large language models (LLMs) before most technologists even fully understand how they work. And veteran security pros are ruminating on long-term game plans for managing risks in an AI-dominated landscape.
Software supply chain security issues are now familiar to most application security and DevSecOps pros. But AI is upping the demand on security teams that are already stretched thin, adding new risk thats center on how AI researchers and developers source the AI models and training data they use to build their systems.
Martin Lewis, a financial journalist and broadcaster, was recently seen promoting an investment scam on Facebook — though, in reality, the widely circulated advertisement was a deepfake video impersonation promoting a Quantum AI investment.
Lewis, who said he does not advertise or promote investments such as these, quickly took to social media to put things in order, debunking any assertion that he was behind such an ad.
The usage of platforms like Cash App, Zelle, and Venmo for peer-to-peer payments has experienced a significant surge, with scams increasing by over 58%. Additionally, there has been a corresponding rise of 44% in scams stemming from the theft of personal documents, according to IDIQ.
The report also highlights the rise of AI voice scams as a significant trend in 2023. AI voice technology enables scammers to create remarkably realistic voices and convincingly imitate family members, friends and other trusted individuals.
“AI voice cloning scams are the scariest thing I have seen in the last 20 years,” said Scott Hermann, CEO of IDIQ and a cybersecurity and financial expert.
Hermann said, with just a short voice clip usually taken from social media, a scammer can clone a loved one’s voice and call a victim pretending to be that person. The scammer deceives the victim into thinking their loved one is in distress to get them to send money, provide personal information or perform other actions.
“AI voice technology has gotten to the point where a mother can’t tell the difference between her child’s voice and a machine – and scammers have pounced on this to commit crimes,” he said.
Open source is playing a growing role across the AI technology stack, but most (52%) projects reference known vulnerable dependencies in their manifest files, according to Endor Labs.
The security vendor’s latest State of Dependency Management report claimed that just five months after its release, ChatGPT’s API is used in 900 npm and PyPI packages across “diverse problem domains,” with 70% of these brand new packages.
However, as for any open source projects, the security risks associated with vulnerable dependencies must be managed, Endor Labs warned.
A quick search for “ChatGPT” on the dark web and Telegram shows 27,912 mentions in the past six months.
Much has been written about the potential for threat actors to use language models. With open source large language models (LLMs) such as LLaMA and Orca, and now the cybercrime model WormGPT, the trends around the commodification of cybercrime and the increasing capabilities of models are set to collide.
Threat actors are already engaging in rigorous discussions of how language models can be used for everything from identifying 0-day exploits to craft spear-phishing emails.
Threat actors are showing an increased interest in generative artificial intelligence tools, with hundreds of thousands of OpenAI credentials for sale on the dark web and access to a malicious alternative for ChatGPT.
Both less skilled and seasoned cybercriminals can use the tools to create more convincing phishing emails that are customized for the intended audience to grow the chances of a successful attack.
Cybercriminals are leveraging generative AI technology to aid their activities and launch business email compromise (BEC) attacks, including use of a tool known as WormGPT, a black-hat alternative to GPT models specifically designed for malicious activities.
According to a report from SlashNext, WormGPT was trained on various data sources, with a focus on malware-related data, generating human-like text based on the input it receives and is able to create highly convincing fake emails.
Screenshots from a cybercrime form illustrate exchanges between malicious actors on how to deploy ChatGPT to aid successful BEC attacks, indicating hackers with limited fluency in the target language can use gen AI to fabricate a convincing email.
The research team also conducted an evaluation of the potential risks associated with WormGPT, with a specific focus on BEC attacks, instructing the tool to generate an email aimed at pressuring an unsuspecting account manager into making payment for a fraudulent invoice.
The results revealed WormGPT could not only execute a persuasive tone but was also "strategically cunning," an indicator of its capabilities for mounting sophisticated phishing and BEC attacks.
Phishing has been a digital thorn in the side of cybersecurity for over a decade. These unsolicited, cleverly masked requests are the wolf in sheep's clothing of the digital world. They are always looming, waiting for some unsuspecting employee to click on a malicious link or attachment that can send your company into a crisis.
In the ever-evolving cybersecurity landscape, understanding the phishing threat has become more critical than ever. It is recognized as a strategic technique under the Initial Access tactic in the MITRE ATT&CK framework. The FortiGuard Labs Global Threat Landscape Report for the second half of 2022 identifies phishing as the primary attack method being used to achieve initial access in a network breach, thereby laying the groundwork for further stages of an attack, as does the 2023 Global Ransomware Research Report.
One technique used by threat actors is to disguise their phishing attacks with creative names that look legitimate to the casual reader but that link to malicious sites. In this blog, we will look into a new threat resulting from the addition of a new Top-Level Domain (TLD), ‘.ZIP’.
Attackers have been observed using the notorious Sorillus remote access trojan (RAT) and phishing attacks to exploit Google Firebase Hosting infrastructure.
The novel threat was observed when eSentire's Security Operations Center (SOC) detected suspicious code in a manufacturing customer's network.
The security experts described the new threat in an advisory published on July 13, 2023, where they said attackers have been using Firebase Hosting due to its ability to obscure malicious content.
The evolving cyberattack landscape reveals the increasing utilization of generative artificial intelligence (AI) systems, like ChatGPT, by cybercriminals for crafting malicious content and executing sophisticated attacks, according to Acronis.
The biannual threat report highlights ransomware as the dominant risk to small and medium-sized businesses. And while the number of new ransomware variants continues to decline, ransomware attacks’ severity remains significant. Equally concerning is the growing prominence of data stealers, who leverage stolen credentials to gain unauthorized access to sensitive information.
“The volume of threats in 2023 has surged relative to last year, a sign that criminals are scaling and enhancing how they compromise systems and execute attacks,” said Candid Wüest, Acronis VP of Research.
Russia’s Foreign Intelligence Service hackers, which we call Cloaked Ursa (aka APT29, UAC-0004, Midnight Blizzard/Nobelium, Cozy Bear) are well known for targeting diplomatic missions globally. Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following:
- Notes verbale (semiformal government-to-government diplomatic communications)
- Embassies’ operating status updates
- Schedules for diplomats
- Invitations to embassy events
These types of lures are generally sent to individuals who handle this type of embassy correspondence as part of their daily jobs. They are meant to entice targets to open the files on behalf of the organization they work for.
Recently, Unit 42 researchers observed instances of Cloaked Ursa using lures focusing on the diplomats themselves more than the countries they represent. We have identified Cloaked Ursa targeting diplomatic missions within Ukraine by leveraging something that all recently placed diplomats need – a vehicle.
We observed Cloaked Ursa targeting at least 22 of over 80 foreign missions located in Kyiv. While we don’t have details on their infection success rate, this is a truly astonishing number for a clandestine operation conducted by an advanced persistent threat (APT) that the United States and the United Kingdom publicly attribute to Russia’s Foreign Intelligence Service (SVR).
jsdelivr is a free, open-source content delivery network (CDN). It provides a fast and reliable way to host and distribute files, making it easier for developers to include external libraries and resources in their web projects. jsdelivr operates as a global CDN with numerous edge servers distributed worldwide. When developers have a file hosted on jsdelivr in their web page, the file is fetched from the server closest to the user’s location, reducing latency and improving performance. jsdelivr supports versioning of hosted files, allowing developers to reference specific versions of libraries. This ensures that projects continue to work reliably even if the library undergoes updates or changes over time. It also provides a fallback mechanism in case a specific version is no longer available.
One of the key benefits of jsdelivr is the direct file links: Instead of using NPM to install the package and reference it locally, you can directly link to the file hosted on jsdelivr’s CDN. But as we will see today, even legit services such as the jsdelivr CDN can be abused for malicious purposes. Meet reactenz.
Microsoft is further enhancing the Windows 11 Enhanced Phishing Protection by testing a new feature that warns users when they copy and paste their Windows password into websites and documents.
Recently, the Trend Micro incident response team engaged with a targeted organization after having identified highly suspicious activities through the Targeted Attack Detection (TAD) service. In the investigation, malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations. In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.
Advertising platforms like Google Ads enable businesses to display advertisements to target audiences to boost traffic and increase sales. Malware distributors abuse the same functionality in a technique known as malvertising, where chosen keywords are hijacked to display malicious ads that lure unsuspecting search engine users into downloading certain types of malware.
Last month, FortiGuard Labs researchers discovered an emerging new threat called Big Head ransomware that could cause significant harm once it becomes operational. They believe that this ransomware is still under development.
Now, Trend Micro researchers Ieriz Nicolle Gonzalez, Katherine Casona, and Sarah Pearl Camiling have disclosed the inner workings of this ransomware, which is currently under development, in their latest report published on July 7th, 2023.
Researchers have dubbed this .NET-based ransomware “Big Head.” According to their assessment, there is no evidence of successful deployment of Big Head so far, and its developers may be experienced but not sophisticated threat actors.
Several versions of Big Head Ransomware have been spotted so far, raising concerns among the cybersecurity community. It is worth noting that most of the ransomware samples were discovered in the US, France, Spain, and Turkey.
Trend Micro examined three samples for its research, which revealed that Big Head is distributed in a malvertising campaign and as fake Microsoft Windows updates and MS Word installers.
Big Head Ransomware can deploy three encrypted binaries.
- The malware propagator- 1.exe
- The communication facilitator with Telegram- archive.exe
- The file encryption/fake Windows update launcher – Xarch.exe
Like all social media platforms, Facebook constantly has to deal with fake accounts, scams and malware. We have written about scams targeting consumers that redirect to fake Microsoft alert pages, but there are also threats targeting businesses that use Facebook to promote their products and services.
In the past few weeks, there's been a resurgence in sponsored posts and accounts that impersonate Meta/Facebook's own Ads Manager. Crooks are promising better advertising via optimization, and increased performance when you use their (malware-laden) software. Meta has tracked and analyzed several threat actors such as DuckTail that have been active for a number of years with a particular interest for Facebook advertising accounts.
Now, we've discovered a new attack that uses malicious Chrome extensions to steal Facebook account credentials and is not related to the DuckTail malware. While tracking this campaign, we noticed the threat actors made a mistake when they packaged one of the malware files with their own stolen data.
Cyber criminals continue to try new ways to steal private information. A new scam uncovered by Check Point Research (CPR) uses Facebook to scam unsuspecting people out of their passwords and private data by taking advantage of their interest in popular generative AI applications.
First, the criminals create fake Facebook pages or groups for a popular brand, including engaging content. The unsuspecting person comments or likes the content, thereby ensuring it shows up on the feeds of their friends. The fake page offers a new service or special content via a link. But when the user clicks on the link, they unknowingly download malicious malware, designed to steal their online passwords, crypto wallets and other information saved in their browser.
Many of the fake pages offer tips, news and enhanced versions of AI services Google Bard or ChatGPT.
When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for you...
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.