AI
Must Play Vital Role In Federal Cyber Defense, GDIT Report SaysA
new report from General Dynamics Information Technology and Splunk reveals that
federal agencies recognize AI's potential for real-time threat detection and
automated mitigation. The research found agencies feel overwhelmed by data and
in need of better tools. It recommends agencies harness AI to navigate data
surges, bolster real-time analytics, and leverage automation to offset human
errors. The report aligns with the White House's AI order and says agencies must
integrate AI to anticipate threats more efficiently and advance defensive cyber
operations. (
MERITALK.COM)
How
the U.S. Funded China's AI AmbitionsThe U.S. awarded at least $30
million in grants for research led by Song-Chun Zhu, now a top AI scientist in
China. Pentagon funding for Zhu at UCLA continued through 2021 for projects like
robot autonomy and intelligence systems, despite him starting a parallel
institute in China in 2010 and joining talent programs transferring technology
to China. Experts say the U.S. risks losing its lead as China extracts
technology through programs like the Thousand Talents Plan. While international
collaboration benefits research, the U.S. is now scrutinizing funding recipients
with undisclosed foreign ties like Zhu, who called AI the next "atomic bomb."
His work in computer vision and cognition, core to potential superintelligent
systems, continues with former students via papers also citing U.S. grants. The
technology loss impacts are difficult to measure but could be significant
militarily and economically. (
DISCOUNTMAGS.COM)
Pro
Take: Going Beyond Moore’s Law; Semiconductor Innovation Continues, But It Is
TougherWhile Moore's Law of transistor doubling every two years no
longer holds true due to physical limits, semiconductor innovation for AI
continues through approaches like sparsity, number representation, and
customizing chips. Nvidia's Bill Dally says the next four years are clear but
it's getting harder, not cheaper. AI may help design chips faster. Researchers
are pushing new fronts but large-scale automation could transform and unleash
more creativity. Innovation exists beyond Moore's Law through different means of
improving chip performance and efficiency. (
WSJ.COM)
New
AI Watchdog Hopes To Thwart 2024 Disinformation CampaignsA new
think tank called the California Institute for Technology and Democracy (CITED)
plans to study responsible AI usage and lobby for regulation to prevent
deepfakes and disinformation from influencing the 2024 election. CITED will
develop state-level policy recommendations in California and a national agenda
to be released in January addressing issues like deepfake labeling, algorithmic
transparency, and boosting media literacy. The non-partisan group aims to build
on momentum from the Biden administration's AI order. Experts say advances in AI
generation could allow misleading videos to target voters if left unregulated.
(
EMERGINGTECHBREW.COM)
Critical
Infrastructure
US Launches "Shields Ready" Campaign To Secure
Critical InfrastructureThe US has launched the "Shields Ready"
initiative to promote critical national infrastructure security and resilience.
It outlines broad strategies for preparing critical infrastructure organizations
for potential disruption by building more resilience into systems, facilities,
and processes. This complements the "Shields Up" campaign which encourages
specific actions during threats. Shields Ready urges identifying critical
assets, evaluating threats, developing risk management and response plans, and
exercising those plans. It aims to ensure US critical infrastructure is better
equipped to respond to and recover from all threats including cyberattacks and
natural disasters. The campaign is led by CISA and FEMA to provide
infrastructure operators with tools for more effective risk management and
incident response. (
CSOONLINE.COM)
'Shields
Ready' Critical Infrastructure Initiative Addresses Inevitable
CyberattacksThe US government's 'Shields Ready' initiative aims to
prepare critical infrastructure operators for inevitable cyberattacks and
disasters by encouraging investments in resilience. Led by CISA and FEMA, it
assumes disruptions will occur and calls for readiness to maintain services.
While providing guidance, the initial effort lacks regulatory enforcement.
Experts say sector-specific requirements are needed given varied infrastructure
sectors. Some argue punitive measures may be necessary to motivate compliance,
as security remains a non-essential cost. By focusing on executive
accountability, the government hopes to incentivize critical infrastructure
stakeholders to treat preparedness as a priority. (
DARKREADING.COM)
The
NSA Seems Pretty Stressed About the Threat of Chinese Hackers in US Critical
InfrastructureNSA officials are warning that Chinese
government-backed hackers pose a serious ongoing threat to US critical
infrastructure networks. At a cybersecurity conference, the NSA emphasized the
need to identify and remove China-backed attackers like the group Volt Typhoon,
known to target power grids and other vital systems. Officials said these
hackers employ sophisticated "living off the land" techniques instead of
malware, manipulating legitimate tools to covertly embed within networks
long-term. Microsoft also updated that Volt Typhoon remains active targeting
universities and military groups, and its access could enable disruption. The
NSA urged network defenders to closely audit logs for anomalies, limit
privileges, patch vulnerabilities, and verify fixes to catch any past
exploitation. Officials stressed the entire cybersecurity community must work
together to protect critical US infrastructure from this threat. (
WIRED.COM)
Crypto
More
Than $100 Million Stolen From Poloniex Crypto PlatformHackers stole
over $100 million from the cryptocurrency exchange Poloniex on Friday, taking
millions in Bitcoin and Ethereum. Poloniex is investigating and plans to
reimburse users, offering the hacker a 5% bounty to return funds within 7 days
before involving law enforcement. Blockchain firms estimated up to $130 million
was stolen. Poloniex is owned by Justin Sun and handles over $500 million in
daily trades. The attack comes after months of lulls following prior platform
hacks involving tens of millions in 2022 and 2021. Law enforcement believes
North Korea's Lazarus group targets crypto exchanges to fund nuclear weapons.
(
THERECORD.MEDIA)
Cyber
Hygiene
Preparing For The Worst: What To Do If You Lose Your
PhoneLosing your phone can be devastating as most people rely on
their phones as the key to their digital lives. This article provides tips on
how to prepare for losing your phone such as backing up your phone to the cloud
or your computer, enabling locator services like "Find My", using a password
manager and multifactor authentication, and adding extra security to important
apps. It stresses the importance of having access to backups, passwords,
authentication codes and other important information from devices other than
just your phone. (
VOX.COM)
Mortgage
giant Mr. Cooper says customer data exposed in breachMortgage
servicer Mr. Cooper disclosed it found customer data exposure from a cyberattack
notified on October 31st. The company is still investigating the nature of
compromised information and will provide more details to affected individuals in
coming weeks. Financial data is not stored on impacted systems and was not
believed to be involved. Mr. Cooper urged monitoring of credit reports and
accounts for suspicious activity. The breach forced an IT shutdown, though the
company assured no late fees or penalties for customers. Mr. Cooper services
over 4 million home loans totaling $937 billion. While attackers have not been
confirmed to issue ransom demands, the incident highlights the risk of data
exposures to large financial organizations from cyber incidents disrupting
critical systems. (
BLEEPINGCOMPUTER.COM)
'Sensitive
data' may have been leaked in cyber attack, says Toronto Public
LibraryThe Toronto Public Library now says "sensitive data may have
been exposed" in an ongoing ransomware attack that has disrupted its services
for almost two weeks. While initially saying there was no evidence of personal
information being compromised, the library revealed an investigation found
sensitive employee data was likely accessed. It's working with experts to
determine the scope of the exposure and notify affected individuals. Library
patrons have expressed concern over potential leaks of financial data used for
fees. Experts criticize the library for initially downplaying risks, saying
affected people need to know if they should monitor accounts or change
passwords. Branches remain open but digital services are unavailable during the
service interruption. (
THESTAR.COM)
Cyber
Threats
Anonymous Sudan: Neither Anonymous Nor
SudaneseExperts believe the hacker group known as Anonymous Sudan
is likely a Russian state-backed operation rather than an authentic Sudanese
collective. The group emerged speaking Russian and targets Western
organizations. It coordinates with pro-Kremlin groups and conducts expensive
DDoS attacks indicative of state funding. While claiming to defend Islam, it
ignores Quran desecration in Russia. The name serves as a distraction from its
true agenda of disrupting the West to further Russian interests. (
CYBERNEWS.COM)
Cyberattacks
Australia
Ports Firm Fights to Restore Operations After Cyber IncidentPorts
operator DP World is working to resume normal operations at major Australian
ports in Sydney, Melbourne, Brisbane and Fremantle, which were disrupted two
days ago by a "serious and ongoing" cyber incident. While investigating
potential data access and theft, DP World disconnected IT systems to prevent
further unauthorized access. This has significantly impacted operations, though
some freight can still be accessed if needed. After meetings, government cyber
coordinator Darren Goldie said disruptions could last days rather than weeks. As
DP World handles around 40% of Australia's trade, government agencies are
assisting the response. Experts say Australia has been a target due to
inadequate security and large troves of customer data held by companies. Recent
massive data breaches impacted Medibank and Optus customers. With cybercrime on
the rise, the incident is another reminder for firms and governments to bolster
protections for sensitive information infrastructure. (
YAHOO.COM)
DP
World Australia Makes 'Significant Progress' To Restore Operations After Cyber
AttackPorts operator DP World Australia says it is making
"significant progress" restoring landside freight operations after a cyber
attack on Friday disrupted its container terminals in Melbourne, Sydney,
Brisbane and Fremantle. While investigating the incident, which government
officials called "nationally significant", DP World confirmed it is examining
potential data access and theft. The company is working to determine if any
personal information was impacted. Australia's cyber security co-ordinator said
DP World's IT systems remain disconnected from the internet as investigations
continue, significantly impacting operations, though some freight can still be
accessed if necessary. As DP World handles around 40% of Australia's imports and
exports, the government is assisting efforts to resolve the incident and support
restoring normal port operations as quickly as possible. (
THENATIONALNEWS.COM)
Australia
locks down ports after ‘nationally significant’
cyberattackAustralia is responding to a major cyberattack targeting
ports that prompted operator DP World to lock down major facilities. After
detecting a "cybersecurity incident" late Friday, DP World restricted access to
ports it operates in Sydney, Melbourne, Brisbane and Fremantle, which handle 40%
of Australia's maritime freight. The government called it a "nationally
significant incident" significantly impacting operations. Ships cannot unload
and freight cannot leave port sites due to the restrictions. The cybersecurity
coordinator said the interruption is expected to last days, hindering goods
flows. The Australian Federal Police are investigating. It follows other
Australian cyberattacks recently against a crypto exchange and Pizza Hut
customers. Officials aim to resolve the incident and restore port access and
operations. (
CO.UK)
'Cybersecurity
incident' rocks ports operator DP World, locks down major Aussie
portsMajor Australian ports have been shut down after ports
operator DP World confirmed a "cybersecurity incident". Late on Friday night, DP
World restricted landside access to container terminals in Sydney, Melbourne,
Brisbane, and Fremantle that it operates. The company said teams are working to
contain the situation and determine the cyberattack's impact, engaging
cybersecurity experts to investigate while notifying authorities. No services
are operating until the investigation concludes. It comes after data breaches
impacted Australian companies like Coinspot cryptocurrency exchange and Pizza
Hut in recent months. DP World is an international ports and logistics firm that
operates in Australia. There is no known link between the cyber incident and
industrial action recently voted for by the Maritime Union of Australia against
DP World. (
COM.AU)
For
Maine, The MOVEit Attack Is PersonalMaine disclosed that personal
information of approximately 1.3 million people, representing nearly its entire
population, was accessed in a ransomware attack exploiting the MOVEit file
transfer service in late May. This makes it one of the most extensive breaches
related to the widespread MOVEit attacks, which have impacted nearly 2,600
organizations and exposed data on over 29 million individuals stored with
government contractors and agencies. The attack underscores the massive
downstream damage that can occur when a widely used compliant file transfer
system is compromised. (
CYBERSECURITYDIVE.COM)
Multiple
Australian Ports Closed After Cyber Security BreachSeveral port
terminals across Australia have been closed as the Australian Federal Police
investigate a cyber security breach. DP World discovered the breach on Friday
night and closed its container terminals in Brisbane, Sydney, Melbourne and
Fremantle. The container terminals are expected to be closed for days which
severely impacts the movement of goods in and out of the country. The National
Coordination Mechanism is working with the company and government to resolve the
incident. Only landside operations from DP World have been impacted with ship
movements remaining unaffected. (
COM.AU)
Washington
State Department of Transportation Working to Recover from
CyberattackThe Washington State Department of Transportation is
working to recover from a cyberattack that began on Tuesday, causing issues for
ferry schedules, traffic cameras, and apps. The department's website, cameras,
and app went down, affecting maps, ferry video feeds, and online permits. A
spokesperson said there was no indication of other systems being affected and
the cause is under investigation. Parts of the website returned on Thursday but
certain pages remained down. Traffic cameras were restored to the app but not
website. The mobile app, travel map, and online permits are still out of service
as recovery work continues. The department did not confirm if it was a
ransomware incident. Washington state agencies and transportation systems have
dealt with other cyberattacks and data breaches in recent years. (
THERECORD.MEDIA)
Microsoft:
BlueNoroff hackers plan new crypto-theft attacksMicrosoft warns
that the North Korean state-sponsored hacking group BlueNoroff, also known as
Sapphire Sleet, is setting up new fraudulent websites and social engineering
infrastructure on LinkedIn to target cryptocurrency employees. The group has a
history of deploying malware via social media to backdoor systems and steal
crypto assets. Previously relying on GitHub, BlueNoroff now hosts payloads on
password-protected websites disguised as skills assessments. Microsoft believes
this change was prompted by detection of prior attack methods. BlueNoroff is
known for targeting over 35 countries, stealing an estimated $2 billion, and
being involved in the largest crypto hack against Axie Infinity's Ronin bridge.
Microsoft's warning highlights the persistent cryptocurrency theft efforts of
this sanctioned North Korean threat group. (
BLEEPINGCOMPUTER.COM)
State
of Maine Becomes Latest MOVEit Victim to SurfaceThe state of Maine
confirmed it was affected by the ongoing MOVEit file transfer vulnerability
between May 28-29, exposing information on 1.3 million individuals. Compromised
data could include names, SSNs, DOBs, driver's license numbers, taxpayer IDs,
medical info and health insurance details. Maine secured the impacted MOVEit
server and is notifying affected individuals via email, mail and a call center.
Two years of credit monitoring will be offered to those whose SSNs or taxpayer
IDs were involved. This adds Maine to the lengthy list of MOVEit victims across
sectors, demonstrating many organizations are unprepared for sophisticated
breaches. Experts stress the need for governments to prioritize adopting
cutting-edge security strategies to better protect citizens' data. (
DARKREADING.COM)
Cyber
Attack Disrupts Washington DOT Website, ServicesA cybersecurity
incident has disrupted key parts of the Washington State Department of
Transportation's website since Tuesday, causing major issues for travelers.
While the basic site and app remain up, real-time information like traffic
cameras, ferry tracking, and the travel map are inaccessible due to the outage.
WSDOT is investigating internally but has not yet involved law enforcement. Few
details are available on the source or nature of the attack. The lack of live
ferry tracking has significantly impacted passengers, as schedules no longer
reflect delays. Traffic cameras were restored Thursday. WSDOT continues to
provide updates on social media and email about late ferries. The disruption
comes as winter weather approaches and travelers rely on the site for planning.
(
GOVTECH.COM)
LinkedIn
says spy firm targeted Hungarian activists, journalists before 2022
electionLinkedIn has acknowledged that private spy firm Black Cube
used fake LinkedIn profiles to target Hungarian activists and journalists
critical of Prime Minister Viktor Orban ahead of Hungary's 2022 election. A
LinkedIn researcher said Black Cube created a network of fake personas on the
platform to connect with targets via bogus job postings, then secretly recorded
video conversations that were published in pro-government media. LinkedIn took
down the fake accounts for "clear violation" of its rules. One target said the
footage received widespread coverage. Black Cube said it only works on
litigation and white collar crime legally. While Orban's party won re-election,
a target said the election was not fair. LinkedIn did not provide details on the
fake account takedown or who Black Cube may have worked for. (
REUTERS.COM)
Boeing
Says Information From System Published Online by Cyber
CriminalsBoeing has acknowledged that information from its systems
was published online by cyber criminals. In a statement, the aerospace company
said its parts and distribution business recently experienced a cybersecurity
incident. While Boeing said it was confident the incident did not threaten
aircraft or flight safety, the company is investigating and in contact with law
enforcement and regulators. The statement comes after Boeing's parts and
services website went offline last week due to a "cyber incident." Boeing did
not provide further details on the incident or what information may have been
released by the "criminal ransomware actor." (
WSJ.COM)
Maine
Says 1.3 Million People Affected by Data BreachMaine revealed that
about 1.3 million people were affected by a data breach earlier this year. The
breach was part of a massive May cyberattack that exploited a vulnerability in
the MOVEit file transfer system, also impacting several US federal agencies. The
affected Maine data included names, SSNs, DOBs, driver's license numbers,
taxpayer IDs, medical information and health insurance details. Over 50% of the
data came from Maine DHHS and 10-30% from the Department of Education. The state
blocked MOVEit server access and implemented security recommendations as soon as
it learned of the breach. An investigation identified compromised information.
Those with affected SSNs or taxpayer IDs can receive credit monitoring. The
attack has impacted over 70 million worldwide and also breached data from
Louisiana, Colorado and Oregon agencies. (
THEHILL.COM)
Russia-Linked
Hackers Claim Credit For OpenAI Outage This WeekThe hacking group
Anonymous Sudan, which is linked to Russia, claimed responsibility for
distributed denial-of-service attacks that caused outages and errors for
OpenAI's ChatGPT conversational AI this week. In a Telegram post, the group said
it targeted OpenAI due to the company exploring investment opportunities in
Israel. Anonymous Sudan is known for cyberattacks aimed at disrupting Western
organizations to further Russian interests. (
BLOOMBERG.COM)
Maine
Government Says Data Breach Affects 1.3 Million ResidentsThe
government of Maine disclosed that a May ransomware attack exploiting a MOVEit
file transfer system resulted in the theft of personal data for over 1.3 million
state residents, or nearly its entire population. The data includes names,
birthdates, IDs and in some cases health and insurance information from various
state agencies. This makes it one of the largest breaches stemming from the
widespread MOVEit attacks, which a cybersecurity firm says have impacted at
least 69 million people total across thousands of victims. (
TECHCRUNCH.COM)
Mr.
Cooper Customers’ Data Exposed By CyberattackMortgage servicer Mr.
Cooper notified customers and regulators that a cyberattack last week resulted
in certain customer data being exposed, though the full scope and type of data
compromised is still under review. The attack blocked millions from making
payments until alternative options were set up. While operational impacts are
expected in Q4, the company believes costs up to $10 million will be the extent
of financial damage. It's the third largest mortgage servicer in the US with
over 4.3 million customers. (
CYBERSECURITYDIVE.COM)
Cyberattack
Shuts Down WA Transportation Website, Bringing Confusion,
DisruptionsA cybersecurity incident targeted the Washington State
Department of Transportation's website, taking down most real-time travel
information since Tuesday. While the basic site and app remain up, the ferry and
traffic camera tracking are offline. This has caused major disruptions for ferry
riders and mountain pass drivers as winter approaches. WSDOT is investigating
but has not involved law enforcement yet. No restoration timeline was given, and
officials declined specifics due to the ongoing probe. The governor's office is
monitoring the situation. Passengers are turning to third-party sites and
signage for ferry updates in the absence of the usual online tracking tools. (
SEATTLETIMES.COM)
Hackers,
Scrapers & Fakers: What's Really Inside the Latest LinkedIn
DatasetTroy Hunt investigated a claimed LinkedIn data breach and
found it was a mix of legitimate public profile data scraped from LinkedIn and
fabricated information. He analyzed sample records, noting email addresses all
followed the pattern of "[first name].[last name]@domain" which is common but
not universal. Checking real email addresses from the same companies showed
different formats. Every record had this pattern, indicating fabrication. Column
headers referenced multiple data sources. While some data like employment
history was real, the emails were likely algorithmically generated. He loaded it
into Have I Been Pwned but flagged it as a spam list since not all addresses
were real. Loading it still informs people if their data was included, allowing
them to take their own precautions. Claims the breach was due to an insider or
LinkedIn mishandling are unfounded - the evidence points to data aggregation and
fabrication. (
TROYHUNT.COM)
Sumo
Logic Discloses Security Breach, Advises API Key ResetsSecurity
analytics company Sumo Logic disclosed a security breach after discovering an
attacker compromised its AWS account last week using stolen credentials. While
Sumo Logic's own systems and customer data remain encrypted, it advised
customers to reset API keys, collector credentials, third-party credentials
stored with Sumo Logic, and user passwords as a precaution. Sumo Logic detected
the breach on November 3rd after finding evidence an attacker accessed a Sumo
Logic AWS account. It immediately locked down exposed infrastructure and rotated
all potentially exposed credentials. Sumo Logic continues investigating the
origin and scope of the incident, and will directly notify customers if evidence
is found of access to their accounts. Customers should monitor updates on Sumo
Logic's security response center. The incident underscores the importance of
regularly resetting credentials to limit the impact of stolen credentials being
abused in breaches. (
BLEEPINGCOMPUTER.COM)
Cyberwar
Microsoft:
Iran's Cyberattacks on Israel Exaggerated & FabricatedMicrosoft
has assessed that claims of successful, coordinated cyberattacks from Iranian
actors against Israel have been exaggerated and fabricated. According to the
report, alleged ransomware attacks were likely fabricated. The compromise of
connected webcams described as targeting Israeli military installations were
actually opportunistic, non-targeted access of consumer devices with no military
relevance. Microsoft found no evidence that network attacks were timed to align
with physical attacks on October 7th as claimed. While some destructive
infrastructure attacks occurred on October 18th, Iranian actors' success has
generally been amplified through information operations rather than coordinated,
strategic attacks. Microsoft believes prolonged conflict increases chances of
more proactive Iranian cyber activities but recent claims have overstated
impacts. (
DARKREADING.COM)
Events
Evolving
Threats, Stagnant Policies: A Conversation On How To Secure Critical
Infrastructure For The Cyber EraThis event from FDD and CSC 2.0
will feature a panel discussion on securing critical infrastructure on November
13th at 12:00pm ET. The panel will include Kiersten Todt from CISA, RADM Mark
Montgomery from FDD, Mary Brooks from the Wilson Center, and be moderated by
Martin Matishak from The Record. They will discuss shortcomings of PPD-21,
improving public-private collaboration to protect security and the economy, and
recommendations for the Biden administration's policy review on governing
critical infrastructure partnerships. (
FDD.ORG)
Administration
Officials And Others On Cybersecurity Risk ManagementAdministration
officials, cybersecurity administrators, and law enforcement discussed
cybersecurity risk management planning and challenges for small and medium-sized
communications companies during a meeting hosted by the Federal Communications
Commission (FCC) and Cybersecurity and Infrastructure Security Agency (CISA) in
Washington, DC. (
C-SPAN.ORG)
Empowering
SMBs: Developing A Resilient Supply Chain Risk Management PlanThe
Cybersecurity and Infrastructure Security Agency will present their latest
resource guide called "Empowering SMBs: A Resource Guide for Developing a
Resilient Supply Chain Risk Management Plan" at a webinar on Wednesday, November
15, 2023 from 11 AM to 12 PM EDT. The guide was created to provide small and
medium-sized businesses with a starting point for developing and customizing an
information and communications technology supply chain risk management plan that
meets their needs and supports establishing an actionable plan to mitigate risks
and disruptions. (
CISA.GOV)
Financial
Yellen
Says Ransomware Attack On China's Biggest Bank Minimally Disrupted Treasury
Market TradesU.S. Treasury Secretary Janet Yellen suggested that a
ransomware attack on China's largest bank only minimally disrupted the U.S.
Treasury market, as she and Chinese finance officials discussed the incident at
a meeting in San Francisco ahead of an economic summit. Yellen said there was no
impact seen on the Treasury market and close communication between officials was
critical in such situations. (
APNEWS.COM)
Hack
at ICBC Targeted the Digital Underbelly of Financial MarketsA
ransomware attack on Industrial and Commercial Bank of China's New York unit
disrupted US Treasury trading this week, underscoring fears of cyber threats to
financial markets. While the impact was minor, the incident showed hackers can
hold critical infrastructure for ransom. ICBC is a major intermediary, and the
attack forced it to disconnect from the Treasury settlement system run by BNY
Mellon. Some $62 billion in Treasuries failed to deliver on time. Though trading
volumes were unaffected, the fragility of the plumbing underlying markets was
exposed. Regulators have pushed for more trading to occur on centralized
platforms like DTCC to reduce such risks, but industry argues this could
discourage participants. The attack comes as the SEC and others scramble to
strengthen cyber defenses of critical financial sectors. (
WSJ.COM)
ICBC
Hack Shows All Foreign Marks Are Equal to Russia's LockBitThe
cyberattack on Industrial and Commercial Bank of China (ICBC) that disrupted US
Treasury trades was likely carried out by the ransomware group LockBit,
according to cyber experts. LockBit, based in the Netherlands with many Russian
speakers, has become the most prolific cyber extortion group through outsourcing
hacking work and portraying itself as politically neutral. However, the ICBC
attack breaks the unofficial agreement between Russian and Chinese groups not to
target each other's institutions, putting pressure on Putin as he relies on
China's support. LockBit claims an affiliate was responsible without permission,
though experts say the group doesn't seem concerned about China's reaction. The
ICBC hack aligns with LockBit testing new non-Western markets. While sensitive
to criticism in the past, LockBit has shown increasing ruthlessness through
hundreds of attacks extracting tens of millions in ransom. (
BLOOMBERG.COM)
Treasury
Settlement Delays Continue in Wake of ICBC HackThe Federal Reserve
reported ongoing "service issues" impacting its Fedwire Securities settlement
platform for US Treasuries, similar to an issue on Thursday following a
cyberattack on Industrial and Commercial Bank of China (ICBC). The attack
prevented ICBC from clearing trades, forcing clients to reroute transactions. On
Thursday, some Treasury trades had to be settled via a USB drive delivery.
Details of the disruption are unclear, though liquidity was affected. The
incident underscores the benefits of central clearing to prevent single
counterparty failures from causing widespread issues. Ransomware attacks have
surged, including hits on major companies, and the ICBC incident likely exposes
weaknesses in its defenses. Financial institutions remain on high alert for
potential disruptions from cyberattacks. (
BLOOMBERG.COM)
World's
Biggest Bank Has To Trade Via USB Stick After HackIndustrial and
Commercial Bank of China (ICBC), the world's largest bank, had to resort to
physically transporting US Treasury trade settlement details on a USB flash
drive between parties in Manhattan after it suffered a cyberattack. This caused
ICBC's clients to reroute some Treasury trades and shocked the banking industry
due to the bank's size and importance in the largest financial market. Experts
called it a true shock that highlighted vulnerabilities. (
BLOOMBERG.COM)
U.S.
subsidiary of China’s ICBC hit by devastating cyberattackA
ransomware attack hit the New York-based subsidiary of the Industrial and
Commercial Bank of China, disrupting its ability to settle US Treasury and
repurchase agreement trades. ICBC is the world's largest bank by assets. The
cybercrime group Lockbit took credit and began posting what it claimed was data
stolen from Boeing in the same attack. Lockbit is a prolific ransomware
operation that US and Canadian authorities have sought to dismantle for years,
arresting one member in Ontario in 2021. The ICBC attack underscored the
potential for cyberattacks to disrupt critical financial market infrastructure
since Treasury trades total hundreds of billions daily. ICBC resorted to
manually settling trades with USB drives, highlighting the attack's severity in
compromising an important intermediary in the US financial system. (
THELOGIC.CO)
Yellen:
no impact on US Treasury market from ICBC hackUS Treasury Secretary
Janet Yellen said the ransomware attack on Industrial and Commercial Bank of
China that disrupted the largest Chinese bank had not interfered with the US
Treasury market. Yellen spoke with China's Vice Premier He Lifeng about the
incident during talks in San Francisco. While ICBC's access to the electronic US
Treasury settlement platform remained cut off, Yellen said there was no impact
seen. She stressed the importance of close communication between the US and
Chinese economic officials in such situations. The Treasury Department has
provided assistance to ICBC in dealing with the issue, Yellen added. (
REUTERS.COM)
Brazen
ransomware attack on US unit of Chinese banking giant has financial sector on
alertA ransomware attack on a US subsidiary of Chinese state bank
ICBC that disrupted Treasury trades has heightened alertness across the global
financial sector. While financial institutions are typically well defended, the
ransomware threat poses new challenges. The attack showed even well-resourced
companies can be disrupted. It led to intelligence sharing within the financial
sector on the evolving threat. The hack targeted ICBC Financial Services in New
York, and recovery is ongoing. The prolific LockBit group claimed
responsibility, though affiliates sometimes carry out attacks. The brazen nature
of targeting such a large bank drew concern it could draw Chinese government
scrutiny of the hackers. However, poor US-Russia relations have allowed
ransomware groups to operate from Russia with impunity. The 2010 attacks blamed
on Iran previously woke up the financial sector to cyber defense needs. (
CNN.COM)
Yellen
Says Ransomware Attack on China's Biggest Bank Minimally Disrupted Treasury
Market TradesUS Treasury Secretary Janet Yellen said a ransomware
attack that forced China's largest bank, Industrial and Commercial Bank of China
(ICBC), to take some systems offline only minimally disrupted US Treasury market
trades. Yellen and Chinese finance officials discussed the attack at a meeting
in San Francisco. Yellen said close communication between the countries was
important in dealing with such situations. The impacted ICBC handles trades and
services for financial institutions. It took systems offline on Wednesday due to
the ransomware attack and was investigating. All Treasury and repo financing
trades were cleared. As the second largest holder of US debt, China holds $805.4
billion in Treasury securities. The ransomware group LockBit, which
predominantly targets non-Russian speakers, was reportedly behind the attack.
(
THEHILL.COM)
After
a Surprise Cyberattack, The World's Largest Bank Had to Shuffle a USB Stick
Around Manhattan to Do BusinessThe US unit of Industrial and
Commerce Bank of China, the world's largest bank by assets, reportedly suffered
a cyberattack on Wednesday from the Russia-linked group Lockbit. On Thursday,
the bank disclosed the breach while conducting some Treasury trades via a
messenger shuffling a USB stick around Manhattan, as the infected systems were
sorted out. The improvised method was used while the $23.5 billion ICBC
Financial Services unit addressed the attack, evoking images of fictional
physical data transfer jobs like in Johnny Mnemonic. Details of the real-life
USB trading scheme were light, amusingly envisioning the stressed journey of an
intern enlisted to speedily shuttle the drives through busy New York streets.
(
PCGAMER.COM)
Feds
recovering additional $1.187M of $5.9M stolen from New Haven schools in cyber
fraudFederal authorities have seized and are in the process of
recovering an additional $1.187 million stolen from New Haven Public Schools in
a cyber fraud earlier this year, bringing the total recovered funds to $4.7
million of the $5.9 million stolen. Criminals had compromised a school
official's email and impersonated a bus company to redirect $5.9 million in
payments. While $3.6 million was previously recovered, tracking the additional
$1.187 million, which was transferred multiple times, has taken more time. $1.2
million remains missing. New Haven has hired consultants to tighten
cybersecurity and financial controls. The theft is being investigated by the FBI
and US Marshals, and the US Attorney's Office is seeking forfeiture of recovered
funds through civil asset forfeiture. Insurance policies may cover some of the
missing amount. (
CTINSIDER.COM)
Government
As
Congress Weighs Budget Priorities, Top Cyber Execs Urge CISA Funding
SupportA bipartisan group of cybersecurity executives signed a
letter urging Congress to support funding for CISA amid concerns that proposed
budget cuts could undermine efforts to protect critical infrastructure and
federal systems from growing cyber threats. The letter warns that cuts would
increase risks from criminal and state-linked hackers. CISA has faced Republican
criticism over its work on election security disinformation. Experts say cuts
would hamper the agency's ability to monitor networks and leave gaps adversaries
could exploit. (
CYBERSECURITYDIVE.COM)
Healthcare
Hackers
Stole Personal Data of Over 800k Sutter Health Patients in California Data
BreachHackers stole the personal information of over 845,000 Sutter
Health patients in California through a massive data breach at Virgin Pulse, a
Welltok subsidiary that stored patient data. Virgin Pulse was among thousands of
organizations affected by a May ransomware attack exploiting a flaw in file
transfer software MoveIt. While financial data was not compromised, certain
health details were taken. The breach also impacted over 1.2 million CalPERS and
CalSTRS retirees. It remains unknown if any privacy laws were violated. Lawsuits
have been filed against MoveIt developer Progress Software and affected groups.
Experts say it would be difficult for hackers to organize and use the stolen
information, but the potential remains. Patients can call Virgin Pulse for
support related to the breach. (
FRESNOBEE.COM)
McLaren
Health Care Says Data Breach Impacted 2.2 Million PeopleMcLaren
Health Care is notifying 2.2 million individuals of a data breach that occurred
between July and August 2023. An unauthorized actor accessed McLaren's systems
on August 22nd. An investigation found the breach began on July 28th. Data
involved includes names, DOBs, SSNs, insurance info, medical records, diagnoses
and more. The specific data varies by individual. All impacted will receive 12
months of identity protection services. McLaren currently sees no evidence data
was misused but urges vigilance. Details on the cyberattack were not disclosed,
but the BlackCat ransomware group claimed responsibility in October for an
attack, threatening to auction stolen McLaren data impacting 2.5 million people.
McLaren operates 14 hospitals in Michigan with 28,000 staff and relationships
with 113,000 providers. (
BLEEPINGCOMPUTER.COM)
Hackers
breach healthcare orgs via ScreenConnect remote accessSecurity
researchers have identified hackers targeting multiple healthcare organizations
in the US by exploiting ScreenConnect remote access instances tied to
Transaction Data Systems (TDS), a pharmacy supply chain provider. The attacks,
observed between October 28 - November 8, involved downloading payloads and
installing additional remote access tools like ScreenConnect and AnyDesk to
maintain persistent access. Tactics included using the Printer Spooler service
and non-PowerShell methods to evade detection. Compromised endpoints belonged to
two distinct orgs, one in pharmaceuticals and one in healthcare, linked by their
ScreenConnect access. It's unclear if TDS directly suffered a breach or if
credentials were compromised. Researchers attempted unsuccessfully to notify
TDS, now known as Outcomes, of the issue. The attacks demonstrate how remote
access tools can be leveraged in intrusions impacting healthcare. (
BLEEPINGCOMPUTER.COM)
Reader
letter: Hospital cyberattack demands thorough investigationThis
letter calls for a thorough investigation into the ransomware attack on the IT
systems of five local hospitals managed by TransForm in Chatham. Nearly two
weeks after the incident, the letter notes hospital operations had still not
returned to normal. It questions how such critical infrastructure serving
500,000 people lacked proper protection and redundancy, as cancer treatments
were cancelled and patient data released. The letter argues backup procedures
proved insufficient, and asks if encrypted patient data was actually
compromised. It acknowledges people are working hard on recovery but stresses a
probe is needed to ensure this cannot happen again, and decision-makers must be
held accountable for lax controls that allowed such disastrous consequences. The
writer calls initial statements that patient care was unaffected misleading
based on subsequent news of impacts. Overall the letter demands answers and
changes to protect hospitals from future cyberattacks. (
WINDSORSTAR.COM)
Major
hack by Russian gang steals social security numbers and health information from
1.3 million in MaineMaine has revealed that data from 1.3 million
residents - nearly the entire state population - was stolen in a May 2022 global
cyberattack exploiting file transfer software MOVEit. Stolen information
includes names, dates of birth, driver's license numbers, social security
numbers, and health/medical data. The attack originated from a Russian-speaking
hacking group called CLOP. Many government agencies and private businesses were
impacted worldwide in the same incident. Maine is just now notifying victims and
offering credit monitoring to those whose critical data was accessed. Over 40%
of one state department's staff were affected. The breach has significantly
compromised residents' private information. It underscores the massive scale of
attacks targeting vulnerabilities in widely used programs. (
CO.UK)
Hackers
stole personal data of over 800k Sutter Health patients in California data
breachA massive May 2022 ransomware attack exploiting a flaw in
file transfer software MoveIt compromised personal information of over 800,000
Sutter Health patients in California, according to a Nov. 3 disclosure. Hackers
breached Virgin Pulse, which stored and managed data for Sutter, gaining access
to details like names, doctors, prescriptions and treatment codes. The breach is
among hundreds worldwide attributed to the Clop/C10p ransomware group exploiting
MoveIt, affecting over 2,500 organizations, though stolen information does not
appear to have been leaked or abused so far. Notifications are still ongoing
months later due to the unprecedented scale. Lawsuits have been filed over
privacy violations, while experts say stolen data would be difficult for
criminals to organize and monetize. Sutter is offering patients identity
protection services in response. (
SACBEE.COM)
Ontario
Hospitals Expect Monthlong Ransomware RecoveryThe five Ontario
hospitals affected by a ransomware attack on their shared IT provider TransForm
in late October say recovery could take until mid-December. Rebuilding the IT
network from scratch means continued patient care disruptions. Attackers stole
over 5.6 million patient records from one hospital. TransForm and hospitals
refused to pay the ransom. Cybercriminals this week hit another U.S. mental
health facility, underscoring persistent threats to healthcare. Experts say
prohibiting ransom payments may help curb such incidents. (
DATABREACHTODAY.COM)
International
'Phobos'
ransomware: Two Russians arrested following a dozen attacks in
FranceFrench authorities have arrested two Russian suspects in
Italy in connection with over a dozen ransomware attacks in France linked to the
"Phobos" ransomware group. The man and woman in their 30s are suspected of
working as "affiliates" of Phobos since 2020, renting the ransomware to
penetrate victims' networks themselves and sharing ransom profits with
developers. Police linked several French attacks to the pair through similar
methods. Analysis of cryptocurrency flows also linked them to around 150
ransomware payments worldwide. Their 12 French victims included local
governments and businesses. Phobos is a discreet group that generally targets
small businesses for smaller ransoms than larger ransomware operations. The
arrests are seen as significant, with seized electronic devices to reveal if the
pair worked for other groups as well. (
LEMONDE.FR)
Iranian
Hackers Launch Malware Attacks On Israel’s Tech SectorSecurity
researchers have tracked a new campaign from Imperial Kitten, an Iranian threat
actor linked to cyberattacks against Israeli organizations. The attackers
launched phishing emails with malicious Excel files in October, using job
recruitment lures. When opened, the files deployed malware for remote access and
credential theft. Past Imperial Kitten campaigns compromised Israeli websites
and targeted maritime and logistics sectors through similar techniques.
Researchers provided indicators of compromise for the adversary's
infrastructure. (
BLEEPINGCOMPUTER.COM)
How
Visa Uses AI to Protect Digital PaymentsVisa leverages artificial
intelligence and analyzes over 500 data points per transaction to flag
potentially fraudulent online spending. The payment processor's models look at
variables like transaction location, amount, and devices used to determine a
risk score. This score is sent to the customer's bank to decide whether to
approve, flag, or decline the transaction. Visa then analyzes how banks handle
alerts to identify abnormal approval patterns that could indicate a bank breach
enabling fraudsters. The company has invested over $10 billion in fraud
detection strategies using this data-driven AI approach to stay ahead of
increasingly sophisticated threats also using technology for payment scams. (
ITBREW.COM)
Law
Enforcement
Police Takes Down BulletProftLink Large-Scale Phishing
ProviderMalaysian police have seized the notorious BulletProftLink
phishing-as-a-service platform that provided over 300 phishing templates to
thousands of subscribers. The operation began in 2015 but gained more attention
since 2018. BulletProftLink hosted phishing pages, harvested credentials, and
provided reverse proxy tools. In 2020, a report linked the operator to a
Malaysian national. In 2021, Microsoft warned of its high volume. With help from
Australian and US authorities, Malaysian police arrested eight individuals in
November 2023, seizing servers, cryptocurrency, vehicles and other assets.
BulletProftLink had over 8,000 subscribers paying up to $2,000/month for access
to stolen credentials. Its dismantling removes an important source of initial
access for cybercriminals targeting corporations. Stolen credentials could
enable network reconnaissance and lateral movement. (
BLEEPINGCOMPUTER.COM)
Legal
Pierce
College Cyberattack Exposed 155,000 People’s Data. Is the District at
Fault?A cyberattack on Pierce College in July exposed the personal
data of more than 155,000 former students and staff. A lawsuit accuses the
district of failing to adequately protect sensitive information, including
Social Security numbers and banking details. While the district says it
responded appropriately after discovering the breach, the plaintiff argues
Pierce College did not have sufficient security protocols in place and questions
why such large amounts of student data were retained for so long. As similar
incidents continue to impact colleges nationwide, experts say all institutions
must carefully review their practices for collecting, storing and securing
personal information. (
THENEWSTRIBUNE.COM)
Intel
Faces 'Downfall' Bug Lawsuit, Seeking $10K per PlaintiffA class
action lawsuit claims Intel knowingly sold billions of faulty chips for years
that were vulnerable to data-leaking bugs like Downfall. The suit seeks $10,000
per plaintiff, and the outcome could help define where poor vulnerability
remediation becomes outright negligence. While determining legal liability may
be complicated, the suit alleges Intel was aware of issues similar to Downfall
as early as 2018 but did not patch them until researchers disclosed exploits,
potentially putting profits over security. Experts note that while serious
exploitation could warrant liability, not all side-channel flaws would meet the
standard, and overflowing court dockets would not be the solution. (
DARKREADING.COM)
Medical
Company Fined $450,000 by New York AG Over Data BreachThe New York
Attorney General has fined US Radiology Specialists $450,000 over a data breach
resulting from a ransomware attack in December 2021. Cybercriminals accessed the
company's network using valid credentials for a SonicWall security appliance.
They likely exploited a vulnerability (CVE-2021-20016) that had been patched by
SonicWall in February 2021. US Radiology failed to replace outdated SonicWall
hardware unable to apply the patch by July 2021 as planned due to resource
issues. Nearly 200,000 patients, including 92,000 New Yorkers, had personal and
health information compromised. As part of the settlement, US Radiology must
enhance its security program, replace IT assets efficiently, encrypt data,
implement penetration testing, and delete unneeded patient data. The NY AG has
fined several medical organizations over breaches impacting large numbers of
individuals. While investigations take time, resolutions like this aim to
improve protections for sensitive data. (
SECURITYWEEK.COM)
Policy
NIST
Releases Revised Cyber Requirements For Controlled Unclassified
InformationNIST has released draft revisions to its Special
Publication 800-171 guidance for protecting controlled unclassified information.
The proposed updates outline new cybersecurity requirements for federal agencies
and contractors handling sensitive government data. A public comment period is
open until January 2024, with NIST aiming to finalize the rule in early 2024.
The revisions are meant to provide a balanced starting point for organizations
while addressing prior public feedback on an earlier draft. (
NEXTGOV.COM)
Privacy
Bad
EIDAS: Europe Ready To Intercept, Spy On Your Encrypted HTTPS
ConnectionsUpcoming EU digital identity rules called eIDAS 2.0 are
concerning privacy advocates, as they may require browsers to trust certificates
from government-approved authorities without limitation. This could enable
governments to issue fake certificates and conduct man-in-the-middle attacks to
surveil encrypted web traffic, returning the internet to a pre-2011 state of
insecurity. Browser makers and hundreds of experts are urging clarification that
the rules cannot prevent distrusting certificates used for interception. The
final text is still secret ahead of an imminent approval vote. (
THEREGISTER.COM)
The
IAB Tech Lab Is Seeking Comment On A New Data Deletion FrameworkThe
IAB Tech Lab, a trade group that creates standards for the advertising industry,
is seeking public comment by December 2nd on a proposed framework for processing
consumer requests to delete their personal data from companies. The framework
aims to establish an "elegant" and consistent way for data deletion to occur
throughout the complex ad supply chain. It could help companies comply with
various privacy laws requiring data deletion, such as GDPR and state laws. If
implemented properly, the IAB says the framework could apply globally to honor
deletion requests regardless of jurisdiction. The proposal is available on
GitHub for review. (
MARKETINGBREW.COM)
Ransomware
Ransomware
Gang Lockbit Posts What It Says Is Boeing Data on SiteThe
ransomware group Lockbit has posted documents it claims belong to Boeing Co. on
its dark web site, two weeks after taking credit for a cyberattack against the
aircraft manufacturer. Lockbit had previously demanded a ransom payment from
Boeing by Nov. 2 or said it would release sensitive data. Boeing acknowledged
the data release but said the attack poses no threat to aircraft or flight
safety. Lockbit is suspected to also be behind a recent attack on Industrial
& Commercial Bank of China that briefly disrupted some Treasury market
trades. Its decision to leak Boeing files may show its willingness to follow
through on threats if victims don't pay. The cyberattack specifically impacted
Boeing's parts and distribution business website. Boeing remains investigating
the incident while in contact with authorities and affected parties. (
BLOOMBERG.COM)
Technology
& Defense
Seriously Risky Business: Microsoft Should Look to the
Past for Its Security FutureThis article critiques Microsoft's new
"Secure Future Initiative" to improve cyber security, arguing it lacks the clear
priorities and commitment shown in Microsoft's previous "Trustworthy Computing
initiative" from 2002. The article says Microsoft needs a cultural shift, not
just new engineering efforts, to improve its consistently vulnerable products.
It also questions if AI and international cooperation should be such a major
part of the strategy compared to basics like secure software development. (
LAWFAREMEDIA.ORG)
What
Is a Cold Boot Attack and Can You Defend Against It?A cold boot
attack targets a computer's RAM to steal sensitive data when the computer is
turned off. Even though data in RAM disappears when a computer shuts down, it
can still be accessed for a short time through a cold boot attack if an attacker
gains physical access. The attacker uses a bootable USB to force a restart and
copy RAM contents before data corruption occurs. Stolen data can include
passwords and encryption keys. While difficult, defenses include full disk
encryption, clearing RAM on shutdown, restricting boot devices, and physical
access controls. Understanding how RAM works highlights the need for proactive
cybersecurity against evolving threats. (
MAKEUSEOF.COM)
What
We Can Learn From Major Cloud CyberattacksAnalysis of six major
cloud cyberattacks between 2020-2022 found they often resulted from simple
technical errors that faster detection and response could have prevented.
Attacks are becoming more advanced through automated tools and
credential/vulnerability access. Incidents included PyTorch code repository
malware, the MediBank and Alibaba/Shanghai Police data breaches, the ONUS crypto
exchange hack, and Peloton and Equinix ransomware attacks. Lessons include how
attackers automate scanning/exploiting targets and the long-term impact. The
research aims to help organizations review cloud security controls and processes
by examining the technical aspects and response patterns. With a wider attack
surface, defenders need detection/response benchmarks like detecting threats
within five seconds, triaging within five minutes, and responding within five
minutes. Faster speeds are needed to counter automated attacker tools in the
cloud. (
DARKREADING.COM)
Security
Remains A Challenge As Pentagon Broadens 5G PlansAs the Pentagon
looks to utilize 5G technology against China, it will rely heavily on research
and development by the US telecom industry to secure the networks. The DOD is
spending $650 million on 5G pilot programs but most R&D is private
sector-led. 5G could help military pilots and ground units but only if data can
be kept safe from China. The DOD is working with industry on technologies to
enhance security within 5G systems. Central to the DOD's vision in the
Indo-Pacific is the Mission Partner Environment for sharing data between
soldiers, partners and commands using zero-trust security architectures. Much
military exercise work has focused on regulating data access regardless of
source networks. The Pentagon's plans assume US companies have input in
commercial 5G standards to drive security, as China pushes its own. (
DEFENSEONE.COM)
Intel
In Talks To Build 'Secure Enclave' Chip Facilities For Defense
ApplicationsIntel Corp. is reportedly the leading candidate to
receive billions in U.S. government funding to build new secure facilities
dedicated to producing microchips for the military. The facilities would aim to
reduce dependence on chips imported from East Asia, particularly Taiwan, and
help ensure a domestic supply of semiconductors for defense applications.
Funding for the proposed new Intel facilities could reach $3-4 billion from the
$39 billion set aside in the Chips Act for manufacturing grants. Officials are
said to be negotiating the project with Intel but no final decision has been
made. Rival chipmakers and some lawmakers have expressed concerns the grants
could mean less funding available to other companies. (
SILICONANGLE.COM)
Transportation
Most
WA transportation services back online following cyberattackMany
Washington State transportation department public web services have been
restored following three days of outages due to a cyberattack. As of Friday
morning, ferry schedules, some ferry tracking on the mobile app, mountain pass
conditions, the agency's travel map, traffic cameras, and online commercial
vehicle permits were back online. More work will be done over the weekend to
fully restore the ferry tracker. The cause of the attack remains under
investigation. Both the transportation department and the state cybersecurity
agency said there is no indication data or personal information was breached.
Details are limited due to the ongoing probe. The restoration of key services
provides some relief, but full effects and lessons from the attack are still
being evaluated. (
WASHINGTONSTATESTANDARD.COM)
Vulnerabilities
& Exploits
Android spyware delivered through infected news site
targets Urdu speakers in KashmirResearchers from ESET discovered
spyware called 'Kamran' being distributed through a compromised Urdu news
website targeting readers in Gilgit-Baltistan, a disputed region between India
and Pakistan. The watering hole attack involved infecting the Hunza News site,
tricking users into downloading an Android app containing Kamran spyware when
accessing from mobile. The spyware stole contacts, location, files and other
data from infected devices which was uploaded to a server. ESET found 22
compromised phones in Pakistan and notified Google though did not receive a
response from Hunza News. The targeting of Urdu speakers and timing during local
protests suggests potential political surveillance of the region's residents.
The discovery highlights the risk of third-party app downloads and importance of
secure sources. (
THERECORD.MEDIA)
Malvertiser
Copies PC News Site To Deliver InfostealerA threat actor copied the
website of a legitimate Windows news portal, WindowsReport.com, and used it to
distribute a malicious installer disguised as the popular CPU-Z software. The
fake website looked almost identical to the real one. Users who clicked on a
malicious ad were redirected to the fake site, where they could download a
digitally signed MSI installer containing a PowerShell script and Redline
infostealing malware. The campaign targeted several other software utilities by
using cloaking and domain hopping techniques to evade detection. Malwarebytes
detected the payloads and blocked the related domains. (
MALWAREBYTES.COM)
What
To Do With A Cloud Intrusion Toolkit In 2023? Slap A Chat Assistant On It,
DuhPredator AI is an underground cybersecurity tool that can
compromise poorly secured cloud services and web apps. It has an optional
chatbot assistant powered by OpenAI's ChatGPT that provides limited
functionality. The tool is able to exploit 30 types of misconfigured web
services and technologies ranging from AWS to WordPress. While its developers
claim it is for education only, it could potentially be misused to attack
infrastructure. (
THEREGISTER.COM)
Root
by Accident, Privilege Escalation Using DockerSerafin Cepeda
discusses how access to the Docker daemon can enable privilege escalation
attacks even when a user only has limited permissions on the host system. By
understanding how Docker isolates processes and filesystems using Linux kernel
tools, an attacker can leverage running containers to access "private"
directories or launch new containers mounting privileged volumes. Three cases
are presented: 1) Accessing private files in a running container, 2) Launching a
container to access any host directory, and 3) Using a volume mount to add
oneself to sudoers and gain root. Mitigations like restricting daemon access to
admins and using an orchestrator like Kubernetes which provides RBAC are
recommended over directly managing Docker on production servers. While
containers improve deployment, understanding their security implications is
important. This demonstrates how seemingly low privileges can be escalated by
creatively leveraging available tools and knowledge of Linux internals. (
MEDIUM.COM)
50
Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability
DisclosuresAqua Nautilus researchers evaluated vulnerability
disclosure processes for over 15,000 open-source projects. They found flaws
allowing attackers to harvest vulnerabilities before patches by monitoring
GitHub and NVD. New disclosure stages of "Half-Day" and "0.75-Day" were
introduced, where vulnerabilities are known to maintainers but details are
publicly exposed without official patches. Case studies of Log4Shell and Binwalk
showed long windows where vulnerabilities could be exploited early. Methods for
harvesting such vulnerabilities at scale from GitHub code/issues and recent NVD
entries lacking patches were presented. Mitigations like responsible disclosure
policies, proactive scanning, and runtime protections were recommended to
minimize early exposure windows. The research highlights risks if vulnerability
timelines are not tightly controlled and calls for standardized, secure
processes. (
AQUASEC.COM)
No comments:
Post a Comment