Cybersecurity
- PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down)lemmy.ml PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) - Lemmy
FYI!!! In case you start getting re-directed to porn sites. Maybe the admin got hacked? --------- edit: lemmy.blahaj.zone has also been hacked. beehaw.org [http://beehaw.org] is also down, possibly intentionally by their admins until the issue is fixed. Post discussing the point of vulnerability: ht...
cross-posted from: https://lemmy.ml/post/1895271
> FYI!!! In case you start getting re-directed to porn sites. > > Maybe the admin got hacked? > > --------- > > edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed. > > Post discussing the point of vulnerability: https://lemmy.ml/post/1896249 > > Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895
So far, there hasn't been any confirmation if any sensitive data is stolen.
- New StackRot Linux kernel flaw allows privilege escalationwww.bleepingcomputer.com New StackRot Linux kernel flaw allows privilege escalation
A new privilege escalation vulnerability impacting Linux was discovered, enabling unprivileged local users to compromise the kernel and elevate their rights to attain root-level access.
- 336,000 servers remain unpatched against critical Fortigate vulnerabilityarstechnica.com 336,000 servers remain unpatched against critical Fortigate vulnerability
69 percent of devices have yet to receive patch for flaw allowing remote code execution.
Researchers say that nearly 336,000 devices exposed to the Internet remain vulnerable to a critical vulnerability in firewalls sold by Fortinet because admins have yet to install patches the company released three weeks ago.
CVE-2023-27997 is a remote code execution in Fortigate VPNs, which are included in the company’s firewalls. The vulnerability, which stems from a heap overflow bug, has a severity rating of 9.8 out of 10. Fortinet released updates silently patching the flaw on June 8 and disclosed it four days later in an advisory that said it may have been exploited in targeted attacks. That same day, the US Cybersecurity and Infrastructure Security Administration added it to its catalog of known exploited vulnerabilities and gave federal agencies until Tuesday to patch it.
- Encryption Communitylemmy.world Encryption - Lemmy.world
Lemmy community discussion encryption used in the digitial space.
- Ukrainian banks hit by pro-Russian NoName hackers
The Russian-linked hacktivist group NoName has been relentlessly targeting the Ukrainian financial sector in its latest campaign against the war-torn nation.
“We will start today's journey with an attack on the financial sector of Ukraine,” the gang posted on their encrypted Telegram channel June 27.
Since the threat actors edict four days ago, nearly a dozen major Ukrainian banks have been hit daily by the gang’s signature DDoS attack method.
Targets include four of the nation's largest commercial banks, including First Ukrainian International Bank (PUMB), State Savings Bank of Ukraine (Oshchadbank), Credit Agricole Bank, and Universal Bank.
The pro-Russian hacking conglomerate, official known in the security world as NoName057(16), said its latest campaign is aimed at disrupting Ukraine’s online banking Internet infrastructure.
Besides claiming to have knocked several of the bank websites completely offline, the gang has also specifically gone after authorization services, login portals, customer service systems, and loan processing services.
- A Quick-Response Initiative Brings a Year of MITRE Support to Ukraine
A year after the Russian invasion of Ukraine, MITRE efforts to develop and deliver needed technology and relief endure, and grow, helping the people on the ground who need it most .
When Russian forces invaded Ukraine, SpaceX sent Starlink satellite internet kits to counter Russian attacks disrupting the country’s internet service. But Starlink technology needs a reliable power source and secure connection to the satellite constellation that processes communications signals. The designers didn’t intend it to be portable or to function in a war zone. Humanitarian and aid-group relief workers in Ukraine needed a system with added resilience.
Enter MITRE. Engineer Joseph Roth and team designed the Starlink Advantage kit to provide energy-independent, reliable access that incorporates cybersecurity, as well as protection from physical targeting. A tote can hold all the components: a terminal providing 100+ mbps internet speed, a VPN-secured Wi-Fi router, a battery-powered/solar panel generator, a laptop, a car adapter, and technology to protect the network from missile strikes.
- IoT devices and Linux-based systems targeted by OpenSSH trojan campaign | Microsoft Security Blogwww.microsoft.com IoT devices and Linux-based systems targeted by OpenSSH trojan campaign | Microsoft Security Blog
Microsoft has uncovered an attack leveraging custom and open-source tools to target internet-facing IoT devices and Linux-based systems. The attack involves deploying a patched version of OpenSSH on affected devices to allow root login and the hijack of SSH credentials.
Microsoft researchers have recently discovered an attack leveraging custom and open-source tools to target internet-facing Linux-based systems and IoT devices. The attack uses a patched version of OpenSSH to take control of impacted devices and install cryptomining malware.
Utilizing an established criminal infrastructure that has incorporated the use of a Southeast Asian financial institution’s subdomain as a command and control (C2) server, the threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations. The backdoor also installs a patched version of OpenSSH on affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections. The complexity and scope of this attack are indicative of the efforts attackers make to evade detection.
- Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schismflashpoint.io Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism
Over the course of two days, social media and messaging platforms like Telegram played a key role in understanding events, rumors, and ideas surrounding the Putin-Prigozhin schism.
- SolarWinds says SEC investigation ‘progressing to charges’therecord.media SolarWinds says SEC investigation ‘progressing to charges’
SolarWinds — the technology firm at the center of a December 2020 hack that affected multiple U.S. government agencies — said its executives may soon face charges from the U.S. Securities and Exchange Commission (SEC) for its response to the incident.
SolarWinds — the technology firm at the center of a December 2020 hack that affected multiple U.S. government agencies — said its executives may soon face charges from the U.S. Securities and Exchange Commission (SEC) for its response to the incident.
The widespread hack – which the U.S. government attributed to the Russian Foreign Intelligence Service – affected several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, the Department of Homeland Security, the State Department, the Department of Energy and more.
Hackers found a way to insert malware into a version of the company’s Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets. They used the access to deploy additional malware to compromise internal and cloud-based systems and steal sensitive information over several months.
- Hackers attack Russian satellite telecom provider, claim affiliation with Wagner Groupcyberscoop.com Hackers attack Russian satellite telecom provider, claim affiliation with Wagner Group
The attackers released nearly 700 files associated with the attack.
Unidentified hackers claimed to have targeted Dozor, a satellite telecommunications provider that services power lines, oil fields, Russian military units and the Federal Security Service (FSB), among others, according to a message posted to Telegram late Wednesday night.
“The DoZor satellite provider (Amtel group of companies), which serves power lines, oil fields, military units of the Russian Defense Ministry, the Federal Security Service, the pension fund and many other projects, including the northern merchant fleet and the Bilibino nuclear power plant, went to rest,” the group’s first message read, according to a translation. “Part of the satellite terminals failed, the switches rebooted, the information on the servers was destroyed.”
- Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackersthehackernews.com Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers
Microsoft exposes a surge in credential-stealing attacks by Russian hacker group Midnight Blizzard.
Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.
The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat intelligence team said.
Midnight Blizzard, formerly known as Nobelium, is also tracked under the monikers APT29, Cozy Bear, Iron Hemlock, and The Dukes.
The group, which drew worldwide attention for the SolarWinds supply chain compromise in December 2020, has continued to rely on unseen tooling in its targeted attacks aimed at foreign ministries and diplomatic entities.
- BlackLotus bootkit patch may bring "false sense of security", warns NSAwww.tripwire.com BlackLotus bootkit patch may bring "false sense of security", warns NSA
The NSA has published a guide about how to mitigate against attacks involving the BlackLotus bootkit malware.
BlackLotus is a sophisticated piece of malware that can infect a computer's low-level firmware, bypassing the Secure Boot defences built into Windows 10 and Windows 11, and allowing the execution of malicious code before a PC's operating system and security defences have loaded.
In this way, attackers could disable security measures such as BitLocker and Windows Defender, without triggering alarms, and deploy BlackLotus's built-in protection against the bootkit's own removal.
Although Microsoft issued a patch for the flaw in Secure Boot back in January 2022, its exploitation remains possible as the affected, validly-signed binaries have not been added to the UEFI revocation list.
Earlier this year, security researchers explained how BlackLotus was taking advantage of this, "bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability."
According to the NSA, there is "significant confusion" about the threat posed by BlackLotus:
“Some organizations use terms like 'unstoppable,' 'unkillable,' and 'unpatchable' to describe the threat. Other organizations believe there is no threat due to patches that Microsoft released in January 2022 and early 2023 for supported versions of Windows. The risk exists somewhere between both extremes."
According to the NSA's advisory, patching Windows 10 and Windows 11 against the vulnerabilities is only "a good first step."
In its mitigation guide, the agency details additional steps for hardening systems.
However, as they involve changes to how UEFI Secure Boot is configured they should be undertaken with caution - as they cannot be reversed once activated, and could leave current Windows boot media unusable if mistakes are made.
"Protecting systems against BlackLotus is not a simple fix," said NSA platform security analyst Zachary Blum.
- China's 'Volt Typhoon' APT Now Exploits Zoho ManageEnginewww.darkreading.com China's 'Volt Typhoon' APT Now Exploits Zoho ManageEngine
A recent campaign shows that the politically motivated threat actor has more tricks up its sleeve than previously known, targeting an old RCE flaw and wiping logs to cover their tracks.
The recently discovered Chinese state-backed advanced persistent threat (APT) "Volt Typhoon," aka "Vanguard Panda," has been spotted using a critical vulnerability in Zoho's ManageEngine ADSelfService Plus, a single sign-on and password management solution. And it's now sporting plenty of previously undisclosed stealth mechanisms.
Volt Typhoon came to the fore last month, thanks to joint reports from Microsoft and various government agencies. The reports highlighted the group's infection of critical infrastructure in the Pacific region, to be used as a possible future beachhead in the event of conflict with Taiwan.
- Apple issues emergency patch to address alleged spyware vulnerabilitycyberscoop.com Apple issues emergency patch to address alleged spyware vulnerability
The fix follows allegations from a Russian intelligence service that an intentional flaw in iPhones provided a gateway for American espionage.
Apple issued a security update on Wednesday for all its operating systems to patch dangerous vulnerabilities that could allow attackers to take over someone’s entire device.
The vulnerabilities in question, first revealed on June 1, appeared to have led the main Russian intelligence agency to make unusually public claims that Apple intentionally left the flaws in its iOS so the National Security Agency and other U.S. entities could compromise “thousands” of iPhones in Russia. Apple has denied those claims.
The charges from the Federal Security Service, or FSB, came the same day that researchers with cybersecurity firm Kaspersky published a report detailing what they said was an “ongoing” zero-click iMessage exploit campaign dubbed “Operation Triangulation” targeting iOS that allowed attackers to run code on phones with root privileges, among other capabilities. Kaspersky published an additional analysis Wednesday, saying that after roughly six months of collecting and analyzing the data, “we have finished analyzing the spyware implant and are ready to share the details.”
- How CISOs can balance the risks and benefits of AIwww.csoonline.com How CISOs can balance the risks and benefits of AI
Rapid growth and development of AI is pushing the limits of cybersecurity and CISOs must take charge now to be ahead of a range of risks including data leak, compliance and prompt injection attacks.
The rapid pace of change in AI makes it difficult to weigh the technology's risks and benefits and CISOs should not wait to take charge of the situation. Risks range from prompt injection attacks, data leakage, and governance and compliance.
All AI projects have these issues to some extent, but the rapid growth and deployment of generative AI is stressing the limits of existing controls while also opening new lines of vulnerability.
If market research is any indication of where the use of AI is going, CISOs can expect 70% of organizations to explore generative AI driven by the use of ChatGPT. Nearly all business leaders say their company is prioritizing at least one initiative related to AI systems in the near term, according to a May PricewaterhouseCoopers’ report.
- The Role Of Impactful Penetration Testing Amid Rise Of AI-Powered Threat Actorsinformationsecuritybuzz.com The Role Of Impactful Penetration Testing Amid Rise Of AI-Powered Threat Actors
It’s no secret that penetration testing is among the most effective methodologies for helping determine an organization’s risk posture.
The rise of ChatGPT has been well-documented as a cybercrime gamechanger, democratizing highly advanced tactics, techniques, and procedures (TTPs) so average adversarial threat actors can increase lethality at low costs. Empowering run-of-the-mill hackers to continuously punch above their weight class will only continue to amplify the volume and velocity of attacks. heightening the importance of effective penetration testing programs that help mitigate the severe business impact of breaches. On average, victims lost a record-high $9.4 million per breach in 2022.
Compounding the issue is a pattern of poor security posture across the public and private sectors. SANS 2022 Ethical Hacking Survey found that more than three-quarters of respondents indicated “only a few or some” organizations have effective Network Detection and Response (NDR) capabilities in place to stop an attack in real-time. Furthermore, nearly 50% said that most organizations are either moderately or highly incapable of detecting and preventing cloud- and application-specific breaches. It’s clear that more must be done to swing the balance of power away from adversaries.
Enter penetration testing, which can provide unrivalled contextual awareness for refining cyber defences, threat remediation, and recovery processes within an overarching risk management architecture. For organizations implementing penetration testing programs at scale, keep the following fundamental tenets top of mind to maximize impact.
- Week in review: Microsoft confirms DDoS attacks on M365 and Azure Portal, Infosecurity Europe 2023 - Help Net Securitywww.helpnetsecurity.com Week in review: Microsoft confirms DDoS attacks on M365 and Azure Portal, Infosecurity Europe 2023 - Help Net Security
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Unraveling the multifaceted threats facing telecom
Microsoft Teams vulnerability allows attackers to deliver malware to employees Security researchers have uncovered a bug that could allow attackers to deliver malware directly into employees’ Microsoft Teams inbox.
Apple fixes zero-day vulnerabilities used to covertly deliver spyware (CVE-2023-32435) Apple has released patches for three zero-day vulnerabilities (CVE-2023-32434, CVE-2023-32435, CVE-2023-32439) exploited in the wild.
VMware Aria Operations for Networks vulnerability exploited in the wild (CVE-2023-20887) CVE-2023-20887, a pre-authentication command injection vulnerability in VMware Aria Operations for Networks (formerly vRealize Network Insight), has been spotted being exploited in the wild.
- Cybersecurity podcast favorites and recommendations?
I'm a newbie to podcasts, but I got hooked recently because I can listen while doing something else.
What are your favorite cybersecurity podcasts? I'm not even sure the best way to link podcasts either, but regardless: the ones I'm liking so far are:
The Cyberwire: https://thecyberwire.com/podcasts
CISO Series: https://cisoseries.com/
Darknet Diaries: https://darknetdiaries.com/
Cybersecurity Today: https://www.itworldcanada.com/podcasts
Smashing Security: https://www.smashingsecurity.com/
Malicious Life: https://malicious.life/
Any more great recommendations? Any drama about the above ones?
- Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives - Check Point Researchresearch.checkpoint.com Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives - Check Point Research
Executive summary Introduction In early 2023, CPIRT investigated an incident at a European hospital. The investigation showed that the malicious activity observed was likely not targeted but was simply collateral damage from Camaro Dragon’s self-propagating malware infections spreading via USB drive...
Executive summary
In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.
The malware gained access to the healthcare institution systems through an infected USB drive. During the investigation, the Check Point Research (CPR) team discovered newer versions of the malware with similar capabilities to self-propagate through USB drives. In this way, malware infections originating in Southeast Asia spread uncontrollably to different networks around the globe, even if those networks are not the threat actors’ primary targets.
The main payload variant, called WispRider, has undergone significant revisions. In addition to backdoor capabilities and the ability to propagate through USB using the HopperTick launcher, the payload includes additional features, such as a bypass for SmadAV, an anti-virus solution popular in Southeast Asia. The malware also performs DLL-side-loading using components of security software, such as G-DATA Total Security, and of two major gaming companies (Electronic Arts and Riot Games). Check Point Research responsibly notified these companies on the above-mentioned use of their software by the attackers.
The findings in this report, along with corroborating evidence from other industry reports, confirm that Chinese threat actors, including Camaro Dragon, continue to effectively leverage USB devices as an infection vector.
The prevalence and nature of the attacks using self-propagating USB malware demonstrate the need of protecting against those, even for organizations that may not be the direct targets of such campaigns. We found evidence of USB malware infections at least in the following countries: Myanmar, South Korea, Great Britain, India and Russia.
- PSA: Upgrade your LUKS PBKDF to Argon2id !!
TIL the French government may have broken encryption on a LUKS-encrypted laptop with a "greater than 20 character" password in April 2023.
- https://nantes.indymedia.org/posts/87395/une-lettre-divan-enferme-a-la-prison-de-villepinte-perquisitions-et-disques-durs-dechiffres/
When upgrading TAILS today, I saw their announcement changing LUKS from PBKDF2 to Argon2id.
- https://tails.boum.org/security/argon2id/index.en.html
The release announcement above has some interesting back-of-the-envelope calculations for the wall-time required to crack a master key from a LUKS keyslot with PBKDF2 vs Argon2id.
And they also link to Matthew Garrett's article, which describes how to manually upgrade your (non-TAILS) LUKS header to Argon2id.
- https://mjg59.dreamwidth.org/66429.html
- US Military Personnel Receiving Unsolicited, Suspicious Smartwatcheswww.securityweek.com US Military Personnel Receiving Unsolicited, Suspicious Smartwatches
The US army says soldiers says unsolicited, suspicious smartwatches are being sent to soldiers, exposing them to malware attacks.
The U.S. Army’s Criminal Investigation Division is urging military personnel to be on the lookout for unsolicited, suspicious smartwatches in the mail, warning that the devices could be rigged with malware.
In an alert issued this week, the army said services members across the military have reported receiving smartwatches unsolicited in the mail and noted that the smartwatches, when used, “have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data.”
“These smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords,” the army warned.
“Malware may be present which accesses both voice and cameras, enabling actors access to conversations and accounts tied to the smartwatches,” it added.
What is unclear, however, is whether this is an attack targeting American military personnel. The smartwatches, the investigation division noted, may also be meant to run illegal brushing scams.
“Brushing is the practice of sending products, often counterfeit, unsolicited to seemingly random individuals via mail in order to allow companies to write positive reviews in the receiver’s name allowing them to compete with established products,” the agency said.
- Have I Been Pwned Domain Searches: The Big 5 Announcements!
There are presently 201k people monitoring domains in Have I Been Pwned (HIBP). That's massive! That's 201k people that have searched for a domain, left their email address for future notifications when the domain appears in a new breach and successfully verified that they control the domain. But that's only a subset of all the domains searched, which totals 231k. In many instances, multiple people have searched for the same domain (most likely from the same company given they've successfully verified control), and also in many instances, people are obviously searching for and monitoring multiple domains. Companies have different brands, mergers and acquisitions happen and so on and so forth. Larger numbers of domains also means larger numbers of notifications; HIBP has now sent out 2.7M emails to those monitoring domains after a breach has occurred. And the largest number of the lot: all those domains being monitored encompass an eye watering 273M breached email addresses 😲
The point is, just as HIBP itself has escalated into something far bigger than I ever expected, so too has the domain search feature. Today, I'm launching an all new domain search experience and 5 announcements about major changes surrounding it. Let's jump into it!
Announcement #:
- 1: There's an all new domain search dashboard
- 2: From now on, domain verification only needs to happen once
- 3: Domain searches are now entirely "serverless"
- 4: There are lots of little optimisation tweaks
- 5: Searches for small domains will remain free whilst larger domains will soon require a commercial subscription
- Top 5 Malware Trends on the Horizonwww.tripwire.com Top 5 Malware Trends on the Horizon
Here are 5 malware trends on the horizon that IT professionals should be on the lookout for as they impact organizations and individuals across the globe.
Cybercrime has become a dominant concern for many businesses, as well as individuals. Cybercriminals will target any business, and any individual if they can realize a profit from their minimal efforts. One of the ways that criminals achieve their goals is through the use of malware that garners a fast profit, such as ransomware. More enterprising criminals will use more persistent malware, which enables them to return to the target for further victimization.
Malware has progressed, revealing some trends that may help cybersecurity professionals in combatting current and future strains.
#1. Malware is becoming increasingly aggressive and evasive
Evasive malware, designed to thwart traditional security technologies like first-generation sandboxes and signature-based gateways, is not new. However, the trend toward more sophisticated, aggressive, and evasive malware will probably emerge as a result of the latest developments in Artificial Intelligence (AI). In the past, evasive maneuvers have made static malware analysis approaches insufficient. Fortunately, AI will also be useful in dynamic analysis. Sadly, this could result in a war of machines, creating service disruptions as the two entities battle for supremacy.
#2. Multi-Factor Authentication (MFA) Attacks
Multi-Factor Authentication has finally gained wider adoption in corporate as well as individual settings. What seemed like a panacea to the brute-force attack problem has been shown to be a bit more vulnerable than originally hoped. For example, if a person’s credentials have been compromised, a technique known as “prompt bombing” can be used to create MFA fatigue, eventually causing a person to accept a login notification just to silence the alerts. Many attacks against MFA involve scanning vulnerable login processes to inject the second-factor codes into websites. While not considered malware in the traditional sense, MFA exploits have the same effect of automating an exploit to gain access to sensitive information.
#3. Targeted attacks will give way to mass exploit customization
Targeted attacks require a substantial amount of manual work on the part of the attackers in order to identify victims and then engineer attacks that can fool the victim, as well as create customized compromises and better pre-attack reconnaissance. While attackers have not yet automated these tasks, it is reasonable to assume that some are attempting to do so. One tell-tale sign of automated reconnaissance is its inability to change its behavior. The best defense against this is for cybersecurity professionals to recognize the patterns that are used to compromise a target and work to mitigate those exposures.
#4. More consumer and enterprise data leaks via cloud apps
As we grow more dependent on cloud services, we introduce new exposures. More attackers are targeting cloud-based information. There also seems to be diminished awareness about the implications of putting personal and commercial data and media in the cloud. Moreover, as cloud data management becomes unwieldy, new security vulnerabilities may become public. Malware that results in cloud breaches could present fertile ground for attackers. Cybersecurity professionals must remember that cloud security is not the responsibility of the cloud provider. Proactive protection, as well as testing, remain vital to keeping cloud data safe.
#5. Your refrigerator is running exploits
Devices that weren’t previously connected to the internet, like home appliances, cars, or photo frames, could become the weakest link in our always-on lifestyles. As everything moves online and adoption grows markedly, there will be attacks through systems we haven’t even considered yet. As more personal devices enter office environments, and as office environments have spread to homes, the Internet of Things (IoT) becomes an even greater attack surface.
- DOJ establishes cybercrime enforcement unit as U.S. warnings mount over Chinese hackingcyberscoop.com DOJ establishes cybercrime enforcement unit as U.S. warnings mount over Chinese hacking
Assistant Attorney General for National Security Matt Olsen said the center will speed up disruption campaigns and prosecutions.
The Department of Justice established a cyber-focused section within its National Security Division to combat the full range of digital crimes, a top department official said Tuesday.
The National Security Cyber Section — NatSec Cyber, for short — has been approved by Congress and will elevate cyberthreats to “equal footing” with other major national security issues, including counterterrorism and counterintelligence, Assistant Attorney General for National Security Matt Olsen said in remarks at the Hoover Institution in Washington.
The new section enables the agency to “increase the scale and speed of disruption campaigns and prosecutions of nation-state cyberthreats as well as state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security,” Olsen said.
- Cooperation or Competition? China’s Security Industry Sees the US, Not AI, as the Bigger Threatwww.securityweek.com Cooperation or Competition? China’s Security Industry Sees the US, Not AI, as the Bigger Threat
China's security and surveillance industry is focused on shoring up its vulnerabilities to the US and other outside actors, worried about risks posed by hackers, advances in AI and pressure from rival governments.
After years of breakneck growth, China’s security and surveillance industry is now focused on shoring up its vulnerabilities to the United States and other outside actors, worried about risks posed by hackers, advances in artificial intelligence and pressure from rival governments.
The renewed emphasis on self-reliance, combating fraud and hardening systems against hacking was on display at the recent Security China exhibition in Beijing, illustrating just how difficult it will be to get Beijing and Washington to cooperate even as researchers warn that humankind faces common risks from AI. The show took place just days after China’s ruling Communist Party warned officials of the risks posed by artificial intelligence.
Looming over the four-day meet: China’s biggest geopolitical rival, the United States. American-developed AI chatbot ChatGPT was a frequent topic of conversation, as were U.S. efforts to choke off China’s access to cutting-edge technology.
- Maine Bans Artificial Intelligence Use by State Agencies for 6 Months Due to 'Cybersecurity Risks' - The Maine Wirewww.themainewire.com Maine Bans Artificial Intelligence Use by State Agencies for 6 Months Due to 'Cybersecurity Risks' - The Maine Wire
A new policy directive from Maine Information Technology (MaineIT) has put a six-month moratorium on the adoption and use of Generative Artificial Intelligence (AI) technology within all State of Maine agencies due to “significant” cybersecurity risks. The prohibition on AI will include large langua...
A new policy directive from Maine Information Technology (MaineIT) has put a six-month moratorium on the adoption and use of Generative Artificial Intelligence (AI) technology within all State of Maine agencies due to “significant” cybersecurity risks.
The prohibition on AI will include large language models that generate text such as ChatGPT, as well as software that generates images, music, computer code, voice simulation, and art.
It’s unclear whether and to what extent state employees have been relying on emerging AI tools as part of their jobs. Maine may be the first state in the U.S. to impose such a moratorium.
According to an email to sent on Wednesday to all Executive Branch agencies and employees from Maine’s Acting Chief Information Officer Nick Marquis, MaineIT issued a “cybersecurity directive” prohibiting the use of AI for all state business and on all devices connected to the state’s network for six months, effective immediately.
- Cybersecurity certifications like ISO 27001 ‘cumbersome’ to maintain – BBC CISOtechmonitor.ai Cybersecurity certifications like ISO 27001 ‘cumbersome’ to maintain – BBC CISO
BBC CISO Helen Rabe says accreditation schemes like ISO 27001 are a costly burden, and have questioned their value to businesses.
The BBC CISO says she is a “consummate cynic” about cybersecurity certifications. Helen Rabe believes schemes like the widely recognised ISO 27001 standard are “time consuming” and “cumbersome” to maintain for tech teams, and could be ripe for reform.
Rabe was speaking as part of a panel at the Infosec Europe conference in London, where she joined Munawar Vallji, CISO at rail ticketing platform Trainline, and Dr Emma Philpott, of advisory group the IASME Consortium for a panel on the future of cybersecurity certifications. BBC CISO ‘cynical’ about cybersecurity certifications
Cybersecurity certifications are designed to ensure organisations have an appropriate level of security across their teams. The most common certification is the ISO 27001 from the International Organisation of Standards, which was updated last year and is held by more than 30,000 companies.
While these certifications are not a legal requirement, they can be a contractual stipulation for IT buyers, particularly in public sector organisations. Speaking to Tech Monitor last year, Alan Calder, founder and executive chairman of cyber risk and privacy management company IT Governance, said: “The Department of Work and Pensions, for instance, requires organisations it is contracting to have ISO specification.
- 5 ways generative AI will help bring greater precision to cybersecurityventurebeat.com 5 ways generative AI will help bring greater precision to cybersecurity
Cybersecurity vendors have different visions of how generative AI can serve customers but all know they must provide guidance to reduce risk
Every cybersecurity vendor has a different vision of how generative AI will serve its customers, yet they all share a common direction. Generative AI brings a new focus on data accuracy, precision and real-time insights. DevOps, product engineering and product management are delivering new generative AI-based products in record time, looking to capitalize on the technology’s strengths.
The 5 from the article:
- Real-time risk assessment and quantification
- Generative AI will revolutionize extended detection and response (XDR)
- Improving endpoint resilience, self-healing capability and contextual intelligence
- Improving existing AI-based automated patch management techniques
- Managing the use of generative AI tools, including AI-based chatbot services
- Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplacesthehackernews.com Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces
Over 100,000 OpenAI ChatGPT account credentials have been compromised and sold on the dark web. Cybercriminals are targeting the valuable information.
cross-posted from: https://kbin.social/m/tech/t/67505
> Over 100,000 OpenAI ChatGPT account credentials have been compromised and sold on the dark web. Cybercriminals are targeting the valuable information.
- Anonymous Sudan's questionable provenance - Researchers point to actually being Russianthecyberwire.com Anonymous Sudan's questionable provenance.
Complex, well-resourced, and well-organized, Anonymous Sudan looks like a front group for an intelligence service.
Complex, well-resourced, and well-organized, Anonymous Sudan looks like a front group for an intelligence service.
Anonymous Sudan's questionable provenance.
Researchers are moved to conclude that Anonymous Sudan is a Russian-run operation, and not the Islamist patriotic hacktivist collective it claims to be,
Is Anonymous Sudan a Russian front group, or a grassroots religious hacktivist group? Researchers at CyberCX have released an intelligence update on Anonymous Sudan after that threat group attacked Australian government organizations. The researchers point out that they assess, with high confidence, that Anonymous Sudan is unlikely to be the simple religious hacktivist group it purports to be, “and that Anonymous Sudan is unlikely to be geographically linked to Sudan.” CyberCX also assesses that the threat group uses a substantial paid proxy infrastructure across various countries to conduct its attacks. “Traffic was highly dispersed, with the common infrastructure across attacks spanning 1720 Autonomous Systems (AS) over 132 countries. Indonesia was the most represented country of origin, followed by Malaysia and the United States,” the researchers explained. That infrastructure probably costs about $2,700 per month. This is an estimate. As CyberCX points out, given the inherently closed nature of the proxy services, “it is difficult to estimate Anonymous Sudan’s likely expenditure on infrastructure.” It’s clear in any case that this supposed backwater organization has suspiciously significant funding and a complex operational style.
The group’s well-organized attacks are not typical of a grassroots organization of religiously motivated hacktivists. “Most authentic grassroots hacktivist organizations observed by CyberCX plan activities in an at least semi-public way, discussing targeting and coordinating operations in forums and group chats. Anonymous Sudan declares specific targets as it attacks, implying it is a closely held operation.” While it’s difficult to determine the group’s geographical location, the timezone during which they’re most active is the UTC-3 region, and that includes both Sudan and Eastern Europe. Anonymous Sudan is actively working with the Russian cyber auxiliary KillNet and its group of Russia-aligned accounts.
Anonymous Sudan primarily writes in English and Russian. Researchers at Trustwave write “There are numerous clues left behind by Anonymous Sudan pointing toward the group being associated in some manner with Killnet. The primary indicator is that Anonymous Sudan’s preferred attack vector is DDoS attacks, the attack type that Killnet has conducted. Other circumstantial evidence pointing toward a Russian connection is that the Anonymous Sudan Telegram posts are mostly in Russian (with some in English), and the targets are all nations that support Ukraine in its fight against Russia.”
- Trend Micro brings generative AI to Vision One cybersecurity platformventurebeat.com Trend Micro brings generative AI to Vision One cybersecurity platform
Trend Micro's new generative AI-driven Vision One platform brings together cybersecurity capabilities including XDR and zero trust.
Cybersecurity provider Trend Micro Incorporated has been integrating artificial intelligence (AI) into its technologies for a decade, but it hasn’t had the power of generative AI, until now.
Today Trend Micro announced its new Vision One platform, bringing together a series of different cybersecurity capabilities including extended detection and response (XDR), attack surface risk management (ASRM) and zero trust. In many respects, the platform is an evolution of the Trend Micro one platform announced in 2022, with the big new addition being gen AI.
The Trend vision one companion is a gen AI-powered assistant for security operation center (SOC) analysts. The technology enables security teams to use natural language queries to answer questions, assist with threat hunting and accelerate remediation.
“We’ve really tried to think about how we can bring the power of gen AI to the security operation center,” Trend Micro COO Kevin Simzer told VentureBeat. “When you’re in an SOC, It tends to be a bit of a stressful job as they’re inundated with lots of telemetry from all different sources.”
- Tesla hacker discovers secret “Elon Mode” for hands-free Full Self-Drivingwww.theverge.com Tesla hacker discovers secret “Elon Mode” for hands-free Full Self-Driving
Elon Musk might be driving FSD hands-free.
Tesla CEO Elon Musk might have his very own supersecret driver mode that enables hands-free driving in Tesla vehicles.
The hidden feature, aptly named “Elon Mode,” was discovered by a Tesla software hacker known online as @greentheonly. The anonymous hacker has dug deep into the vehicle code for years and uncovered things like how Tesla can lock you out of using your power seats or the center camera in the Model 3 before it was officially activated.
After finding and enabling Elon Mode, greentheonly ventured out to test the system and posted some rough footage of the endeavor. They did not share the literal “Elon Mode” setting on the screen but maintain that it’s real.
The hacker found that the car didn’t require any attention from them while using Tesla’s Full Self-Driving (FSD) software. FSD is Tesla’s vision-based advanced driver-assist system that’s in beta but is currently available to anyone who paid as much as $15,000 for the option. The software was the subject of an internally leaked report last month that indicated FSD has had thousands of customer complaints of sudden braking and abrupt acceleration.
- Stripe API Key: $70k Stolen from CCs via merchant to debit card "Instant Payments"webdesigneracademy.com My Stripe Account Was Hacked and Stripe Said I Have To Repay $70K - Web Designer Academy
Hear how my Stripe account was hacked, how Stripe responded, what I did in the aftermath and what to do if this happens to you.
From the moment I began my freelance web design business back in 2014, I was collecting payments via Stripe and happily paying their processing fees for the ability to grow my business from just a desire for more freedom to running a company that employs women and supports them to create their own freedom and financial independence.
It never occurred to me that using Stripe to process payments would become one of the biggest risks to my small business.
My Stripe account was hacked due to Stripe’s lax security, over $70,000 of fraudulent charges were processed by the hacker through a fake connected account, paid out instantly to that person via Stripe’s Instant Payments to the hacker’s pre-paid debit card, and Stripe started pulling the money out of my business bank account to pay back the victims of the theft.
And Stripe says it’s my fault that my account was hacked and that I’m liable to pay back the victims of the fraud.
Listen to the full podcast episode or read on to find out exactly what happened and how to protect your business.
______________________
On a quiet Monday morning after the Easter holiday, I was sipping coffee on my couch in Columbus, Ohio like I normally do, snuggling with my dog and going through my normal morning entrepreneurial routine of checking emails and DMs on my business account when I see an email from Stripe with the subject line:
“Subject: [Action required] Closure of your Stripe account”
We recently identified payments on your Stripe account that don’t appear to have been authorized by the customer, meaning that the owner of the card or bank account didn’t consent to these payments.
As a precautionary measure, we will no longer accept payments for [your company].
We will also begin issuing refunds on card payments on April 15, 2023, although they may take longer to appear on the cardholder’s statement.
Please refer to your dashboard for a list of the charges that will be refunded. If there are insufficient funds on your account to cover any refunds, those refunds won’t be processed and any outstanding funds will remain in your account .
If you believe that we’ve misunderstood or miscategorized your business and would like us to conduct another review of your account , please complete the form on your Stripe Dashboard to provide more information about your business.
Request further review
If you have any questions, you can contact us any time from our support site.”
I remember thinking… yeah, this is probably some phishing scam…
So I check out the “From” address, and actually click into it to see the actual address and it’s saying it’s FROM accounts@stripe.com…
And I log into my Stripe account from a separate browser, you know, just in case… and after using my Authenticator app because I have 2-factor authentication set up on my account, I see the request at the top of my account asking me to provide proof that I am the owner of my business.
I look at my recent authorized transactions and nothing is out of the ordinary… all of the successful payment listed are from students inside my Web Designer Academy who have been making their monthly membership payments like clockwork.
And I think, “This must just be a mistake. I’ve been a customer of Stripe for 8 years now. I’ll submit all the documentation Stripe requested and I’m sure that will take care of it.”
So I grab my laptop, submit all the documentation right away, and get back to snuggling and scrolling.
Then I log into my back account and see a withdrawal from my business checking account from Stripe for over $600. And another pending transaction for a withdrawal over $2000. And no credits for the payments that were made by students over the weekend.
And I’m feeling very confused thinking, “What is happening?”
I’m starting to feel the anxiety bubbling up, but I tell myself to be patient. Once they review all the documents I submitted to prove that I am who I say I am, this will all get resolved.
A few hours later, I receive another email:
“Subject: Additional review completed for Stripe Shop”
Whew, I think. I’m glad they took care of this so quickly.
I click into the email, and my heart starting pounding in my chest as I read it:
“Thank you for providing additional information about your business.
After reviewing your account again, we’ve confirmed that your business represents a higher risk than we can currently support.
We are unable to accept payments for [your company] moving forward.
Payouts to your bank account have been paused, and we will issue refunds on any card payments by May 10, 2023, although they may take longer to appear on the cardholder’s statement.
If there are insufficient funds on your account to cover any refunds, these refunds will not be processed and any outstanding funds will remain on your account.
Please refer to your Dashboard for a list of the charges to be refunded.
If you’d like to further appeal our decision, please contact us.”
I can feel the panic rising in my body. I tap on the Stripe app on my phone and I see that there’s a negative payout balance… but all the transactions listed in the app are legit.
I logged back into my Stripe account via my computer trying to figure out what in the world they are talking about, what are all these charges that they are saying are fraudulent? I’m looking for a phone number I can call to talk to someone.
I start clicking through every link in my Stripe dashboard, and when I get to the “Connect” menu item, that’s when I see it.
Two accounts with the business name of “Netflix.com” under the name “Albert Dawkins” which between the two accounts had racked up over $70,000 in credit card charges in the 3 days over the Easter holiday weekend.
Looking more closely, the ill-gotten gains were paid out instantly to a pre-paid debit card via Stripe’s Instant Payouts feature the moment the transactions were successful.
I realized my Stripe account was hacked. ...
- Britain to double cyber defense funding for Ukrainetherecord.media Britain to double cyber defense funding for Ukraine
The United Kingdom on Sunday announced a “major expansion” to its Ukraine Cyber Program, which has seen British experts provide remote incident response support to the Ukrainian government following Russian cyberattacks on critical infrastructure.
The United Kingdom on Sunday announced a “major expansion” to its Ukraine Cyber Program, which has seen British experts provide remote incident response support to the Ukrainian government following Russian cyberattacks on critical infrastructure.
It follows the British government last year announcing that personnel from cyber and signals intelligence agency GCHQ had been contributing to Ukraine’s defense, including by providing protection against the Industroyer2 malware, alongside delivering hardware and software and limiting “attacker access to vital networks.”
The new funding will also support the provision of “forensic capabilities to enable Ukrainian cyber experts to analyze system compromises, attribute attackers and build better evidence to prosecute these indiscriminate attacks,” said Number 10.
- Microsoft identifies new hacking group controlled by Russian intelligence which they call "Cadet Blizzard"therecord.media Microsoft identifies new hacking group controlled by Russian intelligence
A hacking group that has carried out attacks targeting organizations in Europe, Latin America and Central Asia has been working for Russia’s military intelligence agency, according to new research.
A hacking group that has carried out attacks targeting organizations in Europe, Latin America and Central Asia has been linked to Russia’s military intelligence agency, according to new research.
Microsoft said Wednesday that the group, which it calls Cadet Blizzard, played a significant role at the beginning of Russia’s cyberwar against Ukraine. About a month prior to the invasion, the group deployed WhisperGate malware, which targeted numerous Ukrainian government computers and websites, while Russian tanks and troops were surrounding the Ukrainian borders waiting to start the offense.
Last year, Ukrainian cybersecurity officials along with their allies from the U.K. and the U.S. attributed the WhisperGate attack to units operating under the Russian military intelligence agency known as the GRU, but they did not disclose additional details.
According to Microsoft’s report, Cadet Blizzard operates independently from other GRU-affiliated hacking groups, such as Sandworm. The group is responsible for destructive attacks, cyber espionage, hack-and-leak operations, and defacement attacks — incidents where hackers modify the visual appearance of a website.
Microsoft considers the emergence of a novel GRU-affiliated actor “a notable development in the Russian cyber threat landscape.” According to the researchers, Cadet Blizzard’s cyber operations align with Russia's wider military goals in Ukraine but also pose a danger to NATO countries that provide military aid to Ukraine.
- AI vs AI: Next front in phishing warswww.techrepublic.com AI vs AI: Next front in phishing wars
Threat intelligence firm Abnormal Security is seeing cybercriminals using generative AI to go phishing; the same technology is part of the defense.
Business email compromises, which supplanted ransomware last year to become the top financially motivated attack vector-threatening organizations, are likely to become harder to track. New investigations by Abnormal Security suggest attackers are using generative AI to create phishing emails, including vendor impersonation attacks of the kind Abnormal flagged earlier this year by the actor dubbed Firebrick Ostricth.
According to Abnormal, by using ChatGPT and other large language models, attackers are able to craft social engineering missives that aren’t festooned with such red flags as formatting issues, atypical syntax, incorrect grammar, punctuation, spelling and email addresses.
The firm used its own AI models to determine that certain emails sent to its customers later identified as phishing attacks were probably AI-generated, according to Dan Shiebler, head of machine learning at Abnormal. “While we are still doing a complete analysis to understand the extent of AI-generated email attacks, Abnormal has seen a definite increase in the number of attacks with AI indicators as a percentage of all attacks, particularly over the past few weeks,” he said.
- Pro-Russian hackers remain active amid Ukraine counteroffensivecyberscoop.com Pro-Russian hackers remain active amid Ukraine counteroffensive
Pro-Russian hackers are focused on Ukrainian service providers, media, critical infrastructure and collecting data from government networks.
Pro-Russian hackers are continuing to hit targets in Ukraine amid a counteroffensive aimed at reclaiming territory held by Russian forces in what Ukrainian officials and researchers describe as an intense period of network operations as the conflict heats up.
“The activity is still very high,” said Victor Zhora, a top Ukrainian cybersecurity official told CyberScoop via online chat Thursday.
Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, which is responsible for the defense of Ukrainian government systems, said that pro-Russian hackers are focused on Ukrainian service providers, media and critical infrastructure, as well as collecting data from government networks. Zhora said his team is expecting the pace of pro-Russian operations to pick up.
- Stealing passwords from infosec Mastodon - without bypassing CSP (research)portswigger.net Stealing passwords from infosec Mastodon - without bypassing CSP
The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose
The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP.
Everybody on our Twitter feed seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about. After figuring out why exactly you had to have loads of @ symbols in your username, I began to have a look at how secure it was. If you've followed me on Twitter you'll know I like to post vectors and test the limits of the app I'm using, and today was no exception.
First, I began testing to see if HTML or Markdown was supported. I did a couple of "tweets" to see if you could have code blocks (how cool would that be?) but nothing seemed to work. That is, until @ret2bed pointed out that you could change your preferences to enable HTML! That's right people, a social network that enables you to post HTML - what could possibly go wrong?
I enabled this handy preference and redid my tests. Markdown seemed pretty limited. I was mainly hoping for code blocks but they didn't materialise. I switched to testing HTML and tested for basic stuff like bold tags, which seemed to work on the web but not on mobile. Whilst I was testing, @securitymb gave me a link to their HTML filter source code and he showed me a very interesting vector where they were decoding entities.
- 288 dark web vendors arrested in major marketplace seizurewww.europol.europa.eu 288 dark web vendors arrested in major marketplace seizure | Europol
This operation, codenamed SpecTor, was composed of a series of separate complementary actions in Austria, France, Germany, the Netherlands, Poland, Brazil, the United Kingdom, the United States, and Switzerland. Intelligence packages as basis for investigations Europol has been compiling intel...
In an operation coordinated by Europol and involving nine countries, law enforcement have seized the illegal dark web marketplace “Monopoly Market” and arrested 288 suspects involved in buying or selling drugs on the dark web.
More than EUR 50.8 million (USD 53.4 million) in cash and virtual currencies, 850 kg of drugs, and 117 firearms were seized. The seized drugs include over 258 kg of amphetamines, 43 kg of cocaine, 43 kg of MDMA and over 10 kg of LSD and ecstasy pills.
from 02 May 2023
- Darknet Parliament is now a thing
The newly coined term "Darknet Parliament” has become the latest catchphrase among cybercriminals trying to prove their clout – and security insiders are loving it.
If you’ve never heard of the term before, don’t fret; neither had the rest of the world until Friday, when the notorious pro-Russian hacker group Killnet introduced the phrase in one of its Telegram threat posts.
Soon after, the Twitterverse seemed to come alive with security folk who couldn’t help but wonder about the ‘never-before-heard-of’ moniker for a ‘never-before-heard-of’ hacker government organization.