Monday, November 13, 2023

11/13/2023 Cyber Briefing, Across Critical Infrastructure Sectors.


Today's Highlights

In response to escalating cyber threats, the United States has launched a comprehensive initiative known as "Shields Ready". Led by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA), this strategy encourages organizations to identify critical assets, develop risk management plans, and enhance systems resilience. Despite these strategic efforts, some experts believe that sector-specific requirements and punitive measures could be necessary to ensure compliance, a perspective highlighted in a recent report.

Simultaneously, top cybersecurity executives have appealed to Congress to maintain funding for CISA. They warn that proposed budget cuts could undermine efforts to protect the nation's critical infrastructure and federal systems, increasing vulnerability to cyber threats.

Amid these developments, the National Security Agency (NSA) has issued a warning about the ongoing threat posed by Chinese government-backed hackers to U.S. critical infrastructure. These hackers utilize sophisticated techniques to infiltrate networks, signifying the need for a coordinated, community-wide effort to counteract these threats

 In Australia, ports operator DP World was hit by a "serious and ongoing" cyber incident that disrupted operations at major ports in Sydney, Melbourne, Brisbane, and Fremantle. The company has since made "significant progress" in restoring operations, but the impact has been a stark reminder of the vulnerabilities within Australia's trade infrastructure.

Meanwhile, in the financial world, Industrial and Commercial Bank of China (ICBC) has endured a disruptive cyberattack. The ransomware attack on ICBC's New York unit disrupted US Treasury trading. However, U.S. Treasury Secretary Janet Yellen stated that the attack minimally disrupted Treasury Market trades. The attack forced ICBC to trade via USB stick and caused "service issues" with the Fedwire Securities settlement platform for US Treasuries. Cyber experts suggest that the ransomware group LockBit could be behind the attack.

Artificial Intelligence

AI Must Play Vital Role In Federal Cyber Defense, GDIT Report Says
A new report from General Dynamics Information Technology and Splunk reveals that federal agencies recognize AI's potential for real-time threat detection and automated mitigation. The research found agencies feel overwhelmed by data and in need of better tools. It recommends agencies harness AI to navigate data surges, bolster real-time analytics, and leverage automation to offset human errors. The report aligns with the White House's AI order and says agencies must integrate AI to anticipate threats more efficiently and advance defensive cyber operations. (MERITALK.COM)

How the U.S. Funded China's AI Ambitions
The U.S. awarded at least $30 million in grants for research led by Song-Chun Zhu, now a top AI scientist in China. Pentagon funding for Zhu at UCLA continued through 2021 for projects like robot autonomy and intelligence systems, despite him starting a parallel institute in China in 2010 and joining talent programs transferring technology to China. Experts say the U.S. risks losing its lead as China extracts technology through programs like the Thousand Talents Plan. While international collaboration benefits research, the U.S. is now scrutinizing funding recipients with undisclosed foreign ties like Zhu, who called AI the next "atomic bomb." His work in computer vision and cognition, core to potential superintelligent systems, continues with former students via papers also citing U.S. grants. The technology loss impacts are difficult to measure but could be significant militarily and economically. (DISCOUNTMAGS.COM)

Pro Take: Going Beyond Moore’s Law; Semiconductor Innovation Continues, But It Is Tougher
While Moore's Law of transistor doubling every two years no longer holds true due to physical limits, semiconductor innovation for AI continues through approaches like sparsity, number representation, and customizing chips. Nvidia's Bill Dally says the next four years are clear but it's getting harder, not cheaper. AI may help design chips faster. Researchers are pushing new fronts but large-scale automation could transform and unleash more creativity. Innovation exists beyond Moore's Law through different means of improving chip performance and efficiency. (WSJ.COM)

New AI Watchdog Hopes To Thwart 2024 Disinformation Campaigns
A new think tank called the California Institute for Technology and Democracy (CITED) plans to study responsible AI usage and lobby for regulation to prevent deepfakes and disinformation from influencing the 2024 election. CITED will develop state-level policy recommendations in California and a national agenda to be released in January addressing issues like deepfake labeling, algorithmic transparency, and boosting media literacy. The non-partisan group aims to build on momentum from the Biden administration's AI order. Experts say advances in AI generation could allow misleading videos to target voters if left unregulated. (EMERGINGTECHBREW.COM)

Critical Infrastructure

US Launches "Shields Ready" Campaign To Secure Critical Infrastructure
The US has launched the "Shields Ready" initiative to promote critical national infrastructure security and resilience. It outlines broad strategies for preparing critical infrastructure organizations for potential disruption by building more resilience into systems, facilities, and processes. This complements the "Shields Up" campaign which encourages specific actions during threats. Shields Ready urges identifying critical assets, evaluating threats, developing risk management and response plans, and exercising those plans. It aims to ensure US critical infrastructure is better equipped to respond to and recover from all threats including cyberattacks and natural disasters. The campaign is led by CISA and FEMA to provide infrastructure operators with tools for more effective risk management and incident response. (CSOONLINE.COM)

'Shields Ready' Critical Infrastructure Initiative Addresses Inevitable Cyberattacks
The US government's 'Shields Ready' initiative aims to prepare critical infrastructure operators for inevitable cyberattacks and disasters by encouraging investments in resilience. Led by CISA and FEMA, it assumes disruptions will occur and calls for readiness to maintain services. While providing guidance, the initial effort lacks regulatory enforcement. Experts say sector-specific requirements are needed given varied infrastructure sectors. Some argue punitive measures may be necessary to motivate compliance, as security remains a non-essential cost. By focusing on executive accountability, the government hopes to incentivize critical infrastructure stakeholders to treat preparedness as a priority. (DARKREADING.COM)

The NSA Seems Pretty Stressed About the Threat of Chinese Hackers in US Critical Infrastructure
NSA officials are warning that Chinese government-backed hackers pose a serious ongoing threat to US critical infrastructure networks. At a cybersecurity conference, the NSA emphasized the need to identify and remove China-backed attackers like the group Volt Typhoon, known to target power grids and other vital systems. Officials said these hackers employ sophisticated "living off the land" techniques instead of malware, manipulating legitimate tools to covertly embed within networks long-term. Microsoft also updated that Volt Typhoon remains active targeting universities and military groups, and its access could enable disruption. The NSA urged network defenders to closely audit logs for anomalies, limit privileges, patch vulnerabilities, and verify fixes to catch any past exploitation. Officials stressed the entire cybersecurity community must work together to protect critical US infrastructure from this threat. (WIRED.COM)


More Than $100 Million Stolen From Poloniex Crypto Platform
Hackers stole over $100 million from the cryptocurrency exchange Poloniex on Friday, taking millions in Bitcoin and Ethereum. Poloniex is investigating and plans to reimburse users, offering the hacker a 5% bounty to return funds within 7 days before involving law enforcement. Blockchain firms estimated up to $130 million was stolen. Poloniex is owned by Justin Sun and handles over $500 million in daily trades. The attack comes after months of lulls following prior platform hacks involving tens of millions in 2022 and 2021. Law enforcement believes North Korea's Lazarus group targets crypto exchanges to fund nuclear weapons. (THERECORD.MEDIA)

Cyber Hygiene

Preparing For The Worst: What To Do If You Lose Your Phone
Losing your phone can be devastating as most people rely on their phones as the key to their digital lives. This article provides tips on how to prepare for losing your phone such as backing up your phone to the cloud or your computer, enabling locator services like "Find My", using a password manager and multifactor authentication, and adding extra security to important apps. It stresses the importance of having access to backups, passwords, authentication codes and other important information from devices other than just your phone. (VOX.COM)

Mortgage giant Mr. Cooper says customer data exposed in breach
Mortgage servicer Mr. Cooper disclosed it found customer data exposure from a cyberattack notified on October 31st. The company is still investigating the nature of compromised information and will provide more details to affected individuals in coming weeks. Financial data is not stored on impacted systems and was not believed to be involved. Mr. Cooper urged monitoring of credit reports and accounts for suspicious activity. The breach forced an IT shutdown, though the company assured no late fees or penalties for customers. Mr. Cooper services over 4 million home loans totaling $937 billion. While attackers have not been confirmed to issue ransom demands, the incident highlights the risk of data exposures to large financial organizations from cyber incidents disrupting critical systems. (BLEEPINGCOMPUTER.COM)

'Sensitive data' may have been leaked in cyber attack, says Toronto Public Library
The Toronto Public Library now says "sensitive data may have been exposed" in an ongoing ransomware attack that has disrupted its services for almost two weeks. While initially saying there was no evidence of personal information being compromised, the library revealed an investigation found sensitive employee data was likely accessed. It's working with experts to determine the scope of the exposure and notify affected individuals. Library patrons have expressed concern over potential leaks of financial data used for fees. Experts criticize the library for initially downplaying risks, saying affected people need to know if they should monitor accounts or change passwords. Branches remain open but digital services are unavailable during the service interruption. (THESTAR.COM)

Cyber Threats

Anonymous Sudan: Neither Anonymous Nor Sudanese
Experts believe the hacker group known as Anonymous Sudan is likely a Russian state-backed operation rather than an authentic Sudanese collective. The group emerged speaking Russian and targets Western organizations. It coordinates with pro-Kremlin groups and conducts expensive DDoS attacks indicative of state funding. While claiming to defend Islam, it ignores Quran desecration in Russia. The name serves as a distraction from its true agenda of disrupting the West to further Russian interests. (CYBERNEWS.COM)


Australia Ports Firm Fights to Restore Operations After Cyber Incident
Ports operator DP World is working to resume normal operations at major Australian ports in Sydney, Melbourne, Brisbane and Fremantle, which were disrupted two days ago by a "serious and ongoing" cyber incident. While investigating potential data access and theft, DP World disconnected IT systems to prevent further unauthorized access. This has significantly impacted operations, though some freight can still be accessed if needed. After meetings, government cyber coordinator Darren Goldie said disruptions could last days rather than weeks. As DP World handles around 40% of Australia's trade, government agencies are assisting the response. Experts say Australia has been a target due to inadequate security and large troves of customer data held by companies. Recent massive data breaches impacted Medibank and Optus customers. With cybercrime on the rise, the incident is another reminder for firms and governments to bolster protections for sensitive information infrastructure. (YAHOO.COM)

DP World Australia Makes 'Significant Progress' To Restore Operations After Cyber Attack
Ports operator DP World Australia says it is making "significant progress" restoring landside freight operations after a cyber attack on Friday disrupted its container terminals in Melbourne, Sydney, Brisbane and Fremantle. While investigating the incident, which government officials called "nationally significant", DP World confirmed it is examining potential data access and theft. The company is working to determine if any personal information was impacted. Australia's cyber security co-ordinator said DP World's IT systems remain disconnected from the internet as investigations continue, significantly impacting operations, though some freight can still be accessed if necessary. As DP World handles around 40% of Australia's imports and exports, the government is assisting efforts to resolve the incident and support restoring normal port operations as quickly as possible. (THENATIONALNEWS.COM)

Australia locks down ports after ‘nationally significant’ cyberattack
Australia is responding to a major cyberattack targeting ports that prompted operator DP World to lock down major facilities. After detecting a "cybersecurity incident" late Friday, DP World restricted access to ports it operates in Sydney, Melbourne, Brisbane and Fremantle, which handle 40% of Australia's maritime freight. The government called it a "nationally significant incident" significantly impacting operations. Ships cannot unload and freight cannot leave port sites due to the restrictions. The cybersecurity coordinator said the interruption is expected to last days, hindering goods flows. The Australian Federal Police are investigating. It follows other Australian cyberattacks recently against a crypto exchange and Pizza Hut customers. Officials aim to resolve the incident and restore port access and operations. (CO.UK)

'Cybersecurity incident' rocks ports operator DP World, locks down major Aussie ports
Major Australian ports have been shut down after ports operator DP World confirmed a "cybersecurity incident". Late on Friday night, DP World restricted landside access to container terminals in Sydney, Melbourne, Brisbane, and Fremantle that it operates. The company said teams are working to contain the situation and determine the cyberattack's impact, engaging cybersecurity experts to investigate while notifying authorities. No services are operating until the investigation concludes. It comes after data breaches impacted Australian companies like Coinspot cryptocurrency exchange and Pizza Hut in recent months. DP World is an international ports and logistics firm that operates in Australia. There is no known link between the cyber incident and industrial action recently voted for by the Maritime Union of Australia against DP World. (COM.AU)

For Maine, The MOVEit Attack Is Personal
Maine disclosed that personal information of approximately 1.3 million people, representing nearly its entire population, was accessed in a ransomware attack exploiting the MOVEit file transfer service in late May. This makes it one of the most extensive breaches related to the widespread MOVEit attacks, which have impacted nearly 2,600 organizations and exposed data on over 29 million individuals stored with government contractors and agencies. The attack underscores the massive downstream damage that can occur when a widely used compliant file transfer system is compromised. (CYBERSECURITYDIVE.COM)

Multiple Australian Ports Closed After Cyber Security Breach
Several port terminals across Australia have been closed as the Australian Federal Police investigate a cyber security breach. DP World discovered the breach on Friday night and closed its container terminals in Brisbane, Sydney, Melbourne and Fremantle. The container terminals are expected to be closed for days which severely impacts the movement of goods in and out of the country. The National Coordination Mechanism is working with the company and government to resolve the incident. Only landside operations from DP World have been impacted with ship movements remaining unaffected. (COM.AU)

Washington State Department of Transportation Working to Recover from Cyberattack
The Washington State Department of Transportation is working to recover from a cyberattack that began on Tuesday, causing issues for ferry schedules, traffic cameras, and apps. The department's website, cameras, and app went down, affecting maps, ferry video feeds, and online permits. A spokesperson said there was no indication of other systems being affected and the cause is under investigation. Parts of the website returned on Thursday but certain pages remained down. Traffic cameras were restored to the app but not website. The mobile app, travel map, and online permits are still out of service as recovery work continues. The department did not confirm if it was a ransomware incident. Washington state agencies and transportation systems have dealt with other cyberattacks and data breaches in recent years. (THERECORD.MEDIA)

Microsoft: BlueNoroff hackers plan new crypto-theft attacks
Microsoft warns that the North Korean state-sponsored hacking group BlueNoroff, also known as Sapphire Sleet, is setting up new fraudulent websites and social engineering infrastructure on LinkedIn to target cryptocurrency employees. The group has a history of deploying malware via social media to backdoor systems and steal crypto assets. Previously relying on GitHub, BlueNoroff now hosts payloads on password-protected websites disguised as skills assessments. Microsoft believes this change was prompted by detection of prior attack methods. BlueNoroff is known for targeting over 35 countries, stealing an estimated $2 billion, and being involved in the largest crypto hack against Axie Infinity's Ronin bridge. Microsoft's warning highlights the persistent cryptocurrency theft efforts of this sanctioned North Korean threat group. (BLEEPINGCOMPUTER.COM)

State of Maine Becomes Latest MOVEit Victim to Surface
The state of Maine confirmed it was affected by the ongoing MOVEit file transfer vulnerability between May 28-29, exposing information on 1.3 million individuals. Compromised data could include names, SSNs, DOBs, driver's license numbers, taxpayer IDs, medical info and health insurance details. Maine secured the impacted MOVEit server and is notifying affected individuals via email, mail and a call center. Two years of credit monitoring will be offered to those whose SSNs or taxpayer IDs were involved. This adds Maine to the lengthy list of MOVEit victims across sectors, demonstrating many organizations are unprepared for sophisticated breaches. Experts stress the need for governments to prioritize adopting cutting-edge security strategies to better protect citizens' data. (DARKREADING.COM)

Cyber Attack Disrupts Washington DOT Website, Services
A cybersecurity incident has disrupted key parts of the Washington State Department of Transportation's website since Tuesday, causing major issues for travelers. While the basic site and app remain up, real-time information like traffic cameras, ferry tracking, and the travel map are inaccessible due to the outage. WSDOT is investigating internally but has not yet involved law enforcement. Few details are available on the source or nature of the attack. The lack of live ferry tracking has significantly impacted passengers, as schedules no longer reflect delays. Traffic cameras were restored Thursday. WSDOT continues to provide updates on social media and email about late ferries. The disruption comes as winter weather approaches and travelers rely on the site for planning. (GOVTECH.COM)

LinkedIn says spy firm targeted Hungarian activists, journalists before 2022 election
LinkedIn has acknowledged that private spy firm Black Cube used fake LinkedIn profiles to target Hungarian activists and journalists critical of Prime Minister Viktor Orban ahead of Hungary's 2022 election. A LinkedIn researcher said Black Cube created a network of fake personas on the platform to connect with targets via bogus job postings, then secretly recorded video conversations that were published in pro-government media. LinkedIn took down the fake accounts for "clear violation" of its rules. One target said the footage received widespread coverage. Black Cube said it only works on litigation and white collar crime legally. While Orban's party won re-election, a target said the election was not fair. LinkedIn did not provide details on the fake account takedown or who Black Cube may have worked for. (REUTERS.COM)

Boeing Says Information From System Published Online by Cyber Criminals
Boeing has acknowledged that information from its systems was published online by cyber criminals. In a statement, the aerospace company said its parts and distribution business recently experienced a cybersecurity incident. While Boeing said it was confident the incident did not threaten aircraft or flight safety, the company is investigating and in contact with law enforcement and regulators. The statement comes after Boeing's parts and services website went offline last week due to a "cyber incident." Boeing did not provide further details on the incident or what information may have been released by the "criminal ransomware actor." (WSJ.COM)

Maine Says 1.3 Million People Affected by Data Breach
Maine revealed that about 1.3 million people were affected by a data breach earlier this year. The breach was part of a massive May cyberattack that exploited a vulnerability in the MOVEit file transfer system, also impacting several US federal agencies. The affected Maine data included names, SSNs, DOBs, driver's license numbers, taxpayer IDs, medical information and health insurance details. Over 50% of the data came from Maine DHHS and 10-30% from the Department of Education. The state blocked MOVEit server access and implemented security recommendations as soon as it learned of the breach. An investigation identified compromised information. Those with affected SSNs or taxpayer IDs can receive credit monitoring. The attack has impacted over 70 million worldwide and also breached data from Louisiana, Colorado and Oregon agencies. (THEHILL.COM)

Russia-Linked Hackers Claim Credit For OpenAI Outage This Week
The hacking group Anonymous Sudan, which is linked to Russia, claimed responsibility for distributed denial-of-service attacks that caused outages and errors for OpenAI's ChatGPT conversational AI this week. In a Telegram post, the group said it targeted OpenAI due to the company exploring investment opportunities in Israel. Anonymous Sudan is known for cyberattacks aimed at disrupting Western organizations to further Russian interests. (BLOOMBERG.COM)

Maine Government Says Data Breach Affects 1.3 Million Residents
The government of Maine disclosed that a May ransomware attack exploiting a MOVEit file transfer system resulted in the theft of personal data for over 1.3 million state residents, or nearly its entire population. The data includes names, birthdates, IDs and in some cases health and insurance information from various state agencies. This makes it one of the largest breaches stemming from the widespread MOVEit attacks, which a cybersecurity firm says have impacted at least 69 million people total across thousands of victims. (TECHCRUNCH.COM)

Mr. Cooper Customers’ Data Exposed By Cyberattack
Mortgage servicer Mr. Cooper notified customers and regulators that a cyberattack last week resulted in certain customer data being exposed, though the full scope and type of data compromised is still under review. The attack blocked millions from making payments until alternative options were set up. While operational impacts are expected in Q4, the company believes costs up to $10 million will be the extent of financial damage. It's the third largest mortgage servicer in the US with over 4.3 million customers. (CYBERSECURITYDIVE.COM)

Cyberattack Shuts Down WA Transportation Website, Bringing Confusion, Disruptions
A cybersecurity incident targeted the Washington State Department of Transportation's website, taking down most real-time travel information since Tuesday. While the basic site and app remain up, the ferry and traffic camera tracking are offline. This has caused major disruptions for ferry riders and mountain pass drivers as winter approaches. WSDOT is investigating but has not involved law enforcement yet. No restoration timeline was given, and officials declined specifics due to the ongoing probe. The governor's office is monitoring the situation. Passengers are turning to third-party sites and signage for ferry updates in the absence of the usual online tracking tools. (SEATTLETIMES.COM)

Hackers, Scrapers & Fakers: What's Really Inside the Latest LinkedIn Dataset
Troy Hunt investigated a claimed LinkedIn data breach and found it was a mix of legitimate public profile data scraped from LinkedIn and fabricated information. He analyzed sample records, noting email addresses all followed the pattern of "[first name].[last name]@domain" which is common but not universal. Checking real email addresses from the same companies showed different formats. Every record had this pattern, indicating fabrication. Column headers referenced multiple data sources. While some data like employment history was real, the emails were likely algorithmically generated. He loaded it into Have I Been Pwned but flagged it as a spam list since not all addresses were real. Loading it still informs people if their data was included, allowing them to take their own precautions. Claims the breach was due to an insider or LinkedIn mishandling are unfounded - the evidence points to data aggregation and fabrication. (TROYHUNT.COM)

Sumo Logic Discloses Security Breach, Advises API Key Resets
Security analytics company Sumo Logic disclosed a security breach after discovering an attacker compromised its AWS account last week using stolen credentials. While Sumo Logic's own systems and customer data remain encrypted, it advised customers to reset API keys, collector credentials, third-party credentials stored with Sumo Logic, and user passwords as a precaution. Sumo Logic detected the breach on November 3rd after finding evidence an attacker accessed a Sumo Logic AWS account. It immediately locked down exposed infrastructure and rotated all potentially exposed credentials. Sumo Logic continues investigating the origin and scope of the incident, and will directly notify customers if evidence is found of access to their accounts. Customers should monitor updates on Sumo Logic's security response center. The incident underscores the importance of regularly resetting credentials to limit the impact of stolen credentials being abused in breaches. (BLEEPINGCOMPUTER.COM)


Microsoft: Iran's Cyberattacks on Israel Exaggerated & Fabricated
Microsoft has assessed that claims of successful, coordinated cyberattacks from Iranian actors against Israel have been exaggerated and fabricated. According to the report, alleged ransomware attacks were likely fabricated. The compromise of connected webcams described as targeting Israeli military installations were actually opportunistic, non-targeted access of consumer devices with no military relevance. Microsoft found no evidence that network attacks were timed to align with physical attacks on October 7th as claimed. While some destructive infrastructure attacks occurred on October 18th, Iranian actors' success has generally been amplified through information operations rather than coordinated, strategic attacks. Microsoft believes prolonged conflict increases chances of more proactive Iranian cyber activities but recent claims have overstated impacts. (DARKREADING.COM)


Evolving Threats, Stagnant Policies: A Conversation On How To Secure Critical Infrastructure For The Cyber Era
This event from FDD and CSC 2.0 will feature a panel discussion on securing critical infrastructure on November 13th at 12:00pm ET. The panel will include Kiersten Todt from CISA, RADM Mark Montgomery from FDD, Mary Brooks from the Wilson Center, and be moderated by Martin Matishak from The Record. They will discuss shortcomings of PPD-21, improving public-private collaboration to protect security and the economy, and recommendations for the Biden administration's policy review on governing critical infrastructure partnerships. (FDD.ORG)

Administration Officials And Others On Cybersecurity Risk Management
Administration officials, cybersecurity administrators, and law enforcement discussed cybersecurity risk management planning and challenges for small and medium-sized communications companies during a meeting hosted by the Federal Communications Commission (FCC) and Cybersecurity and Infrastructure Security Agency (CISA) in Washington, DC. (C-SPAN.ORG)

Empowering SMBs: Developing A Resilient Supply Chain Risk Management Plan
The Cybersecurity and Infrastructure Security Agency will present their latest resource guide called "Empowering SMBs: A Resource Guide for Developing a Resilient Supply Chain Risk Management Plan" at a webinar on Wednesday, November 15, 2023 from 11 AM to 12 PM EDT. The guide was created to provide small and medium-sized businesses with a starting point for developing and customizing an information and communications technology supply chain risk management plan that meets their needs and supports establishing an actionable plan to mitigate risks and disruptions. (CISA.GOV)


Yellen Says Ransomware Attack On China's Biggest Bank Minimally Disrupted Treasury Market Trades
U.S. Treasury Secretary Janet Yellen suggested that a ransomware attack on China's largest bank only minimally disrupted the U.S. Treasury market, as she and Chinese finance officials discussed the incident at a meeting in San Francisco ahead of an economic summit. Yellen said there was no impact seen on the Treasury market and close communication between officials was critical in such situations. (APNEWS.COM)

Hack at ICBC Targeted the Digital Underbelly of Financial Markets
A ransomware attack on Industrial and Commercial Bank of China's New York unit disrupted US Treasury trading this week, underscoring fears of cyber threats to financial markets. While the impact was minor, the incident showed hackers can hold critical infrastructure for ransom. ICBC is a major intermediary, and the attack forced it to disconnect from the Treasury settlement system run by BNY Mellon. Some $62 billion in Treasuries failed to deliver on time. Though trading volumes were unaffected, the fragility of the plumbing underlying markets was exposed. Regulators have pushed for more trading to occur on centralized platforms like DTCC to reduce such risks, but industry argues this could discourage participants. The attack comes as the SEC and others scramble to strengthen cyber defenses of critical financial sectors. (WSJ.COM)

ICBC Hack Shows All Foreign Marks Are Equal to Russia's LockBit
The cyberattack on Industrial and Commercial Bank of China (ICBC) that disrupted US Treasury trades was likely carried out by the ransomware group LockBit, according to cyber experts. LockBit, based in the Netherlands with many Russian speakers, has become the most prolific cyber extortion group through outsourcing hacking work and portraying itself as politically neutral. However, the ICBC attack breaks the unofficial agreement between Russian and Chinese groups not to target each other's institutions, putting pressure on Putin as he relies on China's support. LockBit claims an affiliate was responsible without permission, though experts say the group doesn't seem concerned about China's reaction. The ICBC hack aligns with LockBit testing new non-Western markets. While sensitive to criticism in the past, LockBit has shown increasing ruthlessness through hundreds of attacks extracting tens of millions in ransom. (BLOOMBERG.COM)

Treasury Settlement Delays Continue in Wake of ICBC Hack
The Federal Reserve reported ongoing "service issues" impacting its Fedwire Securities settlement platform for US Treasuries, similar to an issue on Thursday following a cyberattack on Industrial and Commercial Bank of China (ICBC). The attack prevented ICBC from clearing trades, forcing clients to reroute transactions. On Thursday, some Treasury trades had to be settled via a USB drive delivery. Details of the disruption are unclear, though liquidity was affected. The incident underscores the benefits of central clearing to prevent single counterparty failures from causing widespread issues. Ransomware attacks have surged, including hits on major companies, and the ICBC incident likely exposes weaknesses in its defenses. Financial institutions remain on high alert for potential disruptions from cyberattacks. (BLOOMBERG.COM)

World's Biggest Bank Has To Trade Via USB Stick After Hack
Industrial and Commercial Bank of China (ICBC), the world's largest bank, had to resort to physically transporting US Treasury trade settlement details on a USB flash drive between parties in Manhattan after it suffered a cyberattack. This caused ICBC's clients to reroute some Treasury trades and shocked the banking industry due to the bank's size and importance in the largest financial market. Experts called it a true shock that highlighted vulnerabilities. (BLOOMBERG.COM)

U.S. subsidiary of China’s ICBC hit by devastating cyberattack
A ransomware attack hit the New York-based subsidiary of the Industrial and Commercial Bank of China, disrupting its ability to settle US Treasury and repurchase agreement trades. ICBC is the world's largest bank by assets. The cybercrime group Lockbit took credit and began posting what it claimed was data stolen from Boeing in the same attack. Lockbit is a prolific ransomware operation that US and Canadian authorities have sought to dismantle for years, arresting one member in Ontario in 2021. The ICBC attack underscored the potential for cyberattacks to disrupt critical financial market infrastructure since Treasury trades total hundreds of billions daily. ICBC resorted to manually settling trades with USB drives, highlighting the attack's severity in compromising an important intermediary in the US financial system. (THELOGIC.CO)

Yellen: no impact on US Treasury market from ICBC hack
US Treasury Secretary Janet Yellen said the ransomware attack on Industrial and Commercial Bank of China that disrupted the largest Chinese bank had not interfered with the US Treasury market. Yellen spoke with China's Vice Premier He Lifeng about the incident during talks in San Francisco. While ICBC's access to the electronic US Treasury settlement platform remained cut off, Yellen said there was no impact seen. She stressed the importance of close communication between the US and Chinese economic officials in such situations. The Treasury Department has provided assistance to ICBC in dealing with the issue, Yellen added. (REUTERS.COM)

Brazen ransomware attack on US unit of Chinese banking giant has financial sector on alert
A ransomware attack on a US subsidiary of Chinese state bank ICBC that disrupted Treasury trades has heightened alertness across the global financial sector. While financial institutions are typically well defended, the ransomware threat poses new challenges. The attack showed even well-resourced companies can be disrupted. It led to intelligence sharing within the financial sector on the evolving threat. The hack targeted ICBC Financial Services in New York, and recovery is ongoing. The prolific LockBit group claimed responsibility, though affiliates sometimes carry out attacks. The brazen nature of targeting such a large bank drew concern it could draw Chinese government scrutiny of the hackers. However, poor US-Russia relations have allowed ransomware groups to operate from Russia with impunity. The 2010 attacks blamed on Iran previously woke up the financial sector to cyber defense needs. (CNN.COM)

Yellen Says Ransomware Attack on China's Biggest Bank Minimally Disrupted Treasury Market Trades
US Treasury Secretary Janet Yellen said a ransomware attack that forced China's largest bank, Industrial and Commercial Bank of China (ICBC), to take some systems offline only minimally disrupted US Treasury market trades. Yellen and Chinese finance officials discussed the attack at a meeting in San Francisco. Yellen said close communication between the countries was important in dealing with such situations. The impacted ICBC handles trades and services for financial institutions. It took systems offline on Wednesday due to the ransomware attack and was investigating. All Treasury and repo financing trades were cleared. As the second largest holder of US debt, China holds $805.4 billion in Treasury securities. The ransomware group LockBit, which predominantly targets non-Russian speakers, was reportedly behind the attack. (THEHILL.COM)

After a Surprise Cyberattack, The World's Largest Bank Had to Shuffle a USB Stick Around Manhattan to Do Business
The US unit of Industrial and Commerce Bank of China, the world's largest bank by assets, reportedly suffered a cyberattack on Wednesday from the Russia-linked group Lockbit. On Thursday, the bank disclosed the breach while conducting some Treasury trades via a messenger shuffling a USB stick around Manhattan, as the infected systems were sorted out. The improvised method was used while the $23.5 billion ICBC Financial Services unit addressed the attack, evoking images of fictional physical data transfer jobs like in Johnny Mnemonic. Details of the real-life USB trading scheme were light, amusingly envisioning the stressed journey of an intern enlisted to speedily shuttle the drives through busy New York streets. (PCGAMER.COM)

Feds recovering additional $1.187M of $5.9M stolen from New Haven schools in cyber fraud
Federal authorities have seized and are in the process of recovering an additional $1.187 million stolen from New Haven Public Schools in a cyber fraud earlier this year, bringing the total recovered funds to $4.7 million of the $5.9 million stolen. Criminals had compromised a school official's email and impersonated a bus company to redirect $5.9 million in payments. While $3.6 million was previously recovered, tracking the additional $1.187 million, which was transferred multiple times, has taken more time. $1.2 million remains missing. New Haven has hired consultants to tighten cybersecurity and financial controls. The theft is being investigated by the FBI and US Marshals, and the US Attorney's Office is seeking forfeiture of recovered funds through civil asset forfeiture. Insurance policies may cover some of the missing amount. (CTINSIDER.COM)


As Congress Weighs Budget Priorities, Top Cyber Execs Urge CISA Funding Support
A bipartisan group of cybersecurity executives signed a letter urging Congress to support funding for CISA amid concerns that proposed budget cuts could undermine efforts to protect critical infrastructure and federal systems from growing cyber threats. The letter warns that cuts would increase risks from criminal and state-linked hackers. CISA has faced Republican criticism over its work on election security disinformation. Experts say cuts would hamper the agency's ability to monitor networks and leave gaps adversaries could exploit. (CYBERSECURITYDIVE.COM)


Hackers Stole Personal Data of Over 800k Sutter Health Patients in California Data Breach
Hackers stole the personal information of over 845,000 Sutter Health patients in California through a massive data breach at Virgin Pulse, a Welltok subsidiary that stored patient data. Virgin Pulse was among thousands of organizations affected by a May ransomware attack exploiting a flaw in file transfer software MoveIt. While financial data was not compromised, certain health details were taken. The breach also impacted over 1.2 million CalPERS and CalSTRS retirees. It remains unknown if any privacy laws were violated. Lawsuits have been filed against MoveIt developer Progress Software and affected groups. Experts say it would be difficult for hackers to organize and use the stolen information, but the potential remains. Patients can call Virgin Pulse for support related to the breach. (FRESNOBEE.COM)

McLaren Health Care Says Data Breach Impacted 2.2 Million People
McLaren Health Care is notifying 2.2 million individuals of a data breach that occurred between July and August 2023. An unauthorized actor accessed McLaren's systems on August 22nd. An investigation found the breach began on July 28th. Data involved includes names, DOBs, SSNs, insurance info, medical records, diagnoses and more. The specific data varies by individual. All impacted will receive 12 months of identity protection services. McLaren currently sees no evidence data was misused but urges vigilance. Details on the cyberattack were not disclosed, but the BlackCat ransomware group claimed responsibility in October for an attack, threatening to auction stolen McLaren data impacting 2.5 million people. McLaren operates 14 hospitals in Michigan with 28,000 staff and relationships with 113,000 providers. (BLEEPINGCOMPUTER.COM)

Hackers breach healthcare orgs via ScreenConnect remote access
Security researchers have identified hackers targeting multiple healthcare organizations in the US by exploiting ScreenConnect remote access instances tied to Transaction Data Systems (TDS), a pharmacy supply chain provider. The attacks, observed between October 28 - November 8, involved downloading payloads and installing additional remote access tools like ScreenConnect and AnyDesk to maintain persistent access. Tactics included using the Printer Spooler service and non-PowerShell methods to evade detection. Compromised endpoints belonged to two distinct orgs, one in pharmaceuticals and one in healthcare, linked by their ScreenConnect access. It's unclear if TDS directly suffered a breach or if credentials were compromised. Researchers attempted unsuccessfully to notify TDS, now known as Outcomes, of the issue. The attacks demonstrate how remote access tools can be leveraged in intrusions impacting healthcare. (BLEEPINGCOMPUTER.COM)

Reader letter: Hospital cyberattack demands thorough investigation
This letter calls for a thorough investigation into the ransomware attack on the IT systems of five local hospitals managed by TransForm in Chatham. Nearly two weeks after the incident, the letter notes hospital operations had still not returned to normal. It questions how such critical infrastructure serving 500,000 people lacked proper protection and redundancy, as cancer treatments were cancelled and patient data released. The letter argues backup procedures proved insufficient, and asks if encrypted patient data was actually compromised. It acknowledges people are working hard on recovery but stresses a probe is needed to ensure this cannot happen again, and decision-makers must be held accountable for lax controls that allowed such disastrous consequences. The writer calls initial statements that patient care was unaffected misleading based on subsequent news of impacts. Overall the letter demands answers and changes to protect hospitals from future cyberattacks. (WINDSORSTAR.COM)

Major hack by Russian gang steals social security numbers and health information from 1.3 million in Maine
Maine has revealed that data from 1.3 million residents - nearly the entire state population - was stolen in a May 2022 global cyberattack exploiting file transfer software MOVEit. Stolen information includes names, dates of birth, driver's license numbers, social security numbers, and health/medical data. The attack originated from a Russian-speaking hacking group called CLOP. Many government agencies and private businesses were impacted worldwide in the same incident. Maine is just now notifying victims and offering credit monitoring to those whose critical data was accessed. Over 40% of one state department's staff were affected. The breach has significantly compromised residents' private information. It underscores the massive scale of attacks targeting vulnerabilities in widely used programs. (CO.UK)

Hackers stole personal data of over 800k Sutter Health patients in California data breach
A massive May 2022 ransomware attack exploiting a flaw in file transfer software MoveIt compromised personal information of over 800,000 Sutter Health patients in California, according to a Nov. 3 disclosure. Hackers breached Virgin Pulse, which stored and managed data for Sutter, gaining access to details like names, doctors, prescriptions and treatment codes. The breach is among hundreds worldwide attributed to the Clop/C10p ransomware group exploiting MoveIt, affecting over 2,500 organizations, though stolen information does not appear to have been leaked or abused so far. Notifications are still ongoing months later due to the unprecedented scale. Lawsuits have been filed over privacy violations, while experts say stolen data would be difficult for criminals to organize and monetize. Sutter is offering patients identity protection services in response. (SACBEE.COM)

Ontario Hospitals Expect Monthlong Ransomware Recovery
The five Ontario hospitals affected by a ransomware attack on their shared IT provider TransForm in late October say recovery could take until mid-December. Rebuilding the IT network from scratch means continued patient care disruptions. Attackers stole over 5.6 million patient records from one hospital. TransForm and hospitals refused to pay the ransom. Cybercriminals this week hit another U.S. mental health facility, underscoring persistent threats to healthcare. Experts say prohibiting ransom payments may help curb such incidents. (DATABREACHTODAY.COM)


'Phobos' ransomware: Two Russians arrested following a dozen attacks in France
French authorities have arrested two Russian suspects in Italy in connection with over a dozen ransomware attacks in France linked to the "Phobos" ransomware group. The man and woman in their 30s are suspected of working as "affiliates" of Phobos since 2020, renting the ransomware to penetrate victims' networks themselves and sharing ransom profits with developers. Police linked several French attacks to the pair through similar methods. Analysis of cryptocurrency flows also linked them to around 150 ransomware payments worldwide. Their 12 French victims included local governments and businesses. Phobos is a discreet group that generally targets small businesses for smaller ransoms than larger ransomware operations. The arrests are seen as significant, with seized electronic devices to reveal if the pair worked for other groups as well. (LEMONDE.FR)

Iranian Hackers Launch Malware Attacks On Israel’s Tech Sector
Security researchers have tracked a new campaign from Imperial Kitten, an Iranian threat actor linked to cyberattacks against Israeli organizations. The attackers launched phishing emails with malicious Excel files in October, using job recruitment lures. When opened, the files deployed malware for remote access and credential theft. Past Imperial Kitten campaigns compromised Israeli websites and targeted maritime and logistics sectors through similar techniques. Researchers provided indicators of compromise for the adversary's infrastructure. (BLEEPINGCOMPUTER.COM)

How Visa Uses AI to Protect Digital Payments
Visa leverages artificial intelligence and analyzes over 500 data points per transaction to flag potentially fraudulent online spending. The payment processor's models look at variables like transaction location, amount, and devices used to determine a risk score. This score is sent to the customer's bank to decide whether to approve, flag, or decline the transaction. Visa then analyzes how banks handle alerts to identify abnormal approval patterns that could indicate a bank breach enabling fraudsters. The company has invested over $10 billion in fraud detection strategies using this data-driven AI approach to stay ahead of increasingly sophisticated threats also using technology for payment scams. (ITBREW.COM)

Law Enforcement

Police Takes Down BulletProftLink Large-Scale Phishing Provider
Malaysian police have seized the notorious BulletProftLink phishing-as-a-service platform that provided over 300 phishing templates to thousands of subscribers. The operation began in 2015 but gained more attention since 2018. BulletProftLink hosted phishing pages, harvested credentials, and provided reverse proxy tools. In 2020, a report linked the operator to a Malaysian national. In 2021, Microsoft warned of its high volume. With help from Australian and US authorities, Malaysian police arrested eight individuals in November 2023, seizing servers, cryptocurrency, vehicles and other assets. BulletProftLink had over 8,000 subscribers paying up to $2,000/month for access to stolen credentials. Its dismantling removes an important source of initial access for cybercriminals targeting corporations. Stolen credentials could enable network reconnaissance and lateral movement. (BLEEPINGCOMPUTER.COM)


Pierce College Cyberattack Exposed 155,000 People’s Data. Is the District at Fault?
A cyberattack on Pierce College in July exposed the personal data of more than 155,000 former students and staff. A lawsuit accuses the district of failing to adequately protect sensitive information, including Social Security numbers and banking details. While the district says it responded appropriately after discovering the breach, the plaintiff argues Pierce College did not have sufficient security protocols in place and questions why such large amounts of student data were retained for so long. As similar incidents continue to impact colleges nationwide, experts say all institutions must carefully review their practices for collecting, storing and securing personal information. (THENEWSTRIBUNE.COM)

Intel Faces 'Downfall' Bug Lawsuit, Seeking $10K per Plaintiff
A class action lawsuit claims Intel knowingly sold billions of faulty chips for years that were vulnerable to data-leaking bugs like Downfall. The suit seeks $10,000 per plaintiff, and the outcome could help define where poor vulnerability remediation becomes outright negligence. While determining legal liability may be complicated, the suit alleges Intel was aware of issues similar to Downfall as early as 2018 but did not patch them until researchers disclosed exploits, potentially putting profits over security. Experts note that while serious exploitation could warrant liability, not all side-channel flaws would meet the standard, and overflowing court dockets would not be the solution. (DARKREADING.COM)

Medical Company Fined $450,000 by New York AG Over Data Breach
The New York Attorney General has fined US Radiology Specialists $450,000 over a data breach resulting from a ransomware attack in December 2021. Cybercriminals accessed the company's network using valid credentials for a SonicWall security appliance. They likely exploited a vulnerability (CVE-2021-20016) that had been patched by SonicWall in February 2021. US Radiology failed to replace outdated SonicWall hardware unable to apply the patch by July 2021 as planned due to resource issues. Nearly 200,000 patients, including 92,000 New Yorkers, had personal and health information compromised. As part of the settlement, US Radiology must enhance its security program, replace IT assets efficiently, encrypt data, implement penetration testing, and delete unneeded patient data. The NY AG has fined several medical organizations over breaches impacting large numbers of individuals. While investigations take time, resolutions like this aim to improve protections for sensitive data. (SECURITYWEEK.COM)


NIST Releases Revised Cyber Requirements For Controlled Unclassified Information
NIST has released draft revisions to its Special Publication 800-171 guidance for protecting controlled unclassified information. The proposed updates outline new cybersecurity requirements for federal agencies and contractors handling sensitive government data. A public comment period is open until January 2024, with NIST aiming to finalize the rule in early 2024. The revisions are meant to provide a balanced starting point for organizations while addressing prior public feedback on an earlier draft. (NEXTGOV.COM)


Bad EIDAS: Europe Ready To Intercept, Spy On Your Encrypted HTTPS Connections
Upcoming EU digital identity rules called eIDAS 2.0 are concerning privacy advocates, as they may require browsers to trust certificates from government-approved authorities without limitation. This could enable governments to issue fake certificates and conduct man-in-the-middle attacks to surveil encrypted web traffic, returning the internet to a pre-2011 state of insecurity. Browser makers and hundreds of experts are urging clarification that the rules cannot prevent distrusting certificates used for interception. The final text is still secret ahead of an imminent approval vote. (THEREGISTER.COM)

The IAB Tech Lab Is Seeking Comment On A New Data Deletion Framework
The IAB Tech Lab, a trade group that creates standards for the advertising industry, is seeking public comment by December 2nd on a proposed framework for processing consumer requests to delete their personal data from companies. The framework aims to establish an "elegant" and consistent way for data deletion to occur throughout the complex ad supply chain. It could help companies comply with various privacy laws requiring data deletion, such as GDPR and state laws. If implemented properly, the IAB says the framework could apply globally to honor deletion requests regardless of jurisdiction. The proposal is available on GitHub for review. (MARKETINGBREW.COM)


Ransomware Gang Lockbit Posts What It Says Is Boeing Data on Site
The ransomware group Lockbit has posted documents it claims belong to Boeing Co. on its dark web site, two weeks after taking credit for a cyberattack against the aircraft manufacturer. Lockbit had previously demanded a ransom payment from Boeing by Nov. 2 or said it would release sensitive data. Boeing acknowledged the data release but said the attack poses no threat to aircraft or flight safety. Lockbit is suspected to also be behind a recent attack on Industrial & Commercial Bank of China that briefly disrupted some Treasury market trades. Its decision to leak Boeing files may show its willingness to follow through on threats if victims don't pay. The cyberattack specifically impacted Boeing's parts and distribution business website. Boeing remains investigating the incident while in contact with authorities and affected parties. (BLOOMBERG.COM)

Technology & Defense

Seriously Risky Business: Microsoft Should Look to the Past for Its Security Future
This article critiques Microsoft's new "Secure Future Initiative" to improve cyber security, arguing it lacks the clear priorities and commitment shown in Microsoft's previous "Trustworthy Computing initiative" from 2002. The article says Microsoft needs a cultural shift, not just new engineering efforts, to improve its consistently vulnerable products. It also questions if AI and international cooperation should be such a major part of the strategy compared to basics like secure software development. (LAWFAREMEDIA.ORG)

What Is a Cold Boot Attack and Can You Defend Against It?
A cold boot attack targets a computer's RAM to steal sensitive data when the computer is turned off. Even though data in RAM disappears when a computer shuts down, it can still be accessed for a short time through a cold boot attack if an attacker gains physical access. The attacker uses a bootable USB to force a restart and copy RAM contents before data corruption occurs. Stolen data can include passwords and encryption keys. While difficult, defenses include full disk encryption, clearing RAM on shutdown, restricting boot devices, and physical access controls. Understanding how RAM works highlights the need for proactive cybersecurity against evolving threats. (MAKEUSEOF.COM)

What We Can Learn From Major Cloud Cyberattacks
Analysis of six major cloud cyberattacks between 2020-2022 found they often resulted from simple technical errors that faster detection and response could have prevented. Attacks are becoming more advanced through automated tools and credential/vulnerability access. Incidents included PyTorch code repository malware, the MediBank and Alibaba/Shanghai Police data breaches, the ONUS crypto exchange hack, and Peloton and Equinix ransomware attacks. Lessons include how attackers automate scanning/exploiting targets and the long-term impact. The research aims to help organizations review cloud security controls and processes by examining the technical aspects and response patterns. With a wider attack surface, defenders need detection/response benchmarks like detecting threats within five seconds, triaging within five minutes, and responding within five minutes. Faster speeds are needed to counter automated attacker tools in the cloud. (DARKREADING.COM)

Security Remains A Challenge As Pentagon Broadens 5G Plans
As the Pentagon looks to utilize 5G technology against China, it will rely heavily on research and development by the US telecom industry to secure the networks. The DOD is spending $650 million on 5G pilot programs but most R&D is private sector-led. 5G could help military pilots and ground units but only if data can be kept safe from China. The DOD is working with industry on technologies to enhance security within 5G systems. Central to the DOD's vision in the Indo-Pacific is the Mission Partner Environment for sharing data between soldiers, partners and commands using zero-trust security architectures. Much military exercise work has focused on regulating data access regardless of source networks. The Pentagon's plans assume US companies have input in commercial 5G standards to drive security, as China pushes its own. (DEFENSEONE.COM)

Intel In Talks To Build 'Secure Enclave' Chip Facilities For Defense Applications
Intel Corp. is reportedly the leading candidate to receive billions in U.S. government funding to build new secure facilities dedicated to producing microchips for the military. The facilities would aim to reduce dependence on chips imported from East Asia, particularly Taiwan, and help ensure a domestic supply of semiconductors for defense applications. Funding for the proposed new Intel facilities could reach $3-4 billion from the $39 billion set aside in the Chips Act for manufacturing grants. Officials are said to be negotiating the project with Intel but no final decision has been made. Rival chipmakers and some lawmakers have expressed concerns the grants could mean less funding available to other companies. (SILICONANGLE.COM)


Most WA transportation services back online following cyberattack
Many Washington State transportation department public web services have been restored following three days of outages due to a cyberattack. As of Friday morning, ferry schedules, some ferry tracking on the mobile app, mountain pass conditions, the agency's travel map, traffic cameras, and online commercial vehicle permits were back online. More work will be done over the weekend to fully restore the ferry tracker. The cause of the attack remains under investigation. Both the transportation department and the state cybersecurity agency said there is no indication data or personal information was breached. Details are limited due to the ongoing probe. The restoration of key services provides some relief, but full effects and lessons from the attack are still being evaluated. (WASHINGTONSTATESTANDARD.COM)

Vulnerabilities & Exploits

Android spyware delivered through infected news site targets Urdu speakers in Kashmir
Researchers from ESET discovered spyware called 'Kamran' being distributed through a compromised Urdu news website targeting readers in Gilgit-Baltistan, a disputed region between India and Pakistan. The watering hole attack involved infecting the Hunza News site, tricking users into downloading an Android app containing Kamran spyware when accessing from mobile. The spyware stole contacts, location, files and other data from infected devices which was uploaded to a server. ESET found 22 compromised phones in Pakistan and notified Google though did not receive a response from Hunza News. The targeting of Urdu speakers and timing during local protests suggests potential political surveillance of the region's residents. The discovery highlights the risk of third-party app downloads and importance of secure sources. (THERECORD.MEDIA)

Malvertiser Copies PC News Site To Deliver Infostealer
A threat actor copied the website of a legitimate Windows news portal,, and used it to distribute a malicious installer disguised as the popular CPU-Z software. The fake website looked almost identical to the real one. Users who clicked on a malicious ad were redirected to the fake site, where they could download a digitally signed MSI installer containing a PowerShell script and Redline infostealing malware. The campaign targeted several other software utilities by using cloaking and domain hopping techniques to evade detection. Malwarebytes detected the payloads and blocked the related domains. (MALWAREBYTES.COM)

What To Do With A Cloud Intrusion Toolkit In 2023? Slap A Chat Assistant On It, Duh
Predator AI is an underground cybersecurity tool that can compromise poorly secured cloud services and web apps. It has an optional chatbot assistant powered by OpenAI's ChatGPT that provides limited functionality. The tool is able to exploit 30 types of misconfigured web services and technologies ranging from AWS to WordPress. While its developers claim it is for education only, it could potentially be misused to attack infrastructure. (THEREGISTER.COM)

Root by Accident, Privilege Escalation Using Docker
Serafin Cepeda discusses how access to the Docker daemon can enable privilege escalation attacks even when a user only has limited permissions on the host system. By understanding how Docker isolates processes and filesystems using Linux kernel tools, an attacker can leverage running containers to access "private" directories or launch new containers mounting privileged volumes. Three cases are presented: 1) Accessing private files in a running container, 2) Launching a container to access any host directory, and 3) Using a volume mount to add oneself to sudoers and gain root. Mitigations like restricting daemon access to admins and using an orchestrator like Kubernetes which provides RBAC are recommended over directly managing Docker on production servers. While containers improve deployment, understanding their security implications is important. This demonstrates how seemingly low privileges can be escalated by creatively leveraging available tools and knowledge of Linux internals. (MEDIUM.COM)

50 Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability Disclosures
Aqua Nautilus researchers evaluated vulnerability disclosure processes for over 15,000 open-source projects. They found flaws allowing attackers to harvest vulnerabilities before patches by monitoring GitHub and NVD. New disclosure stages of "Half-Day" and "0.75-Day" were introduced, where vulnerabilities are known to maintainers but details are publicly exposed without official patches. Case studies of Log4Shell and Binwalk showed long windows where vulnerabilities could be exploited early. Methods for harvesting such vulnerabilities at scale from GitHub code/issues and recent NVD entries lacking patches were presented. Mitigations like responsible disclosure policies, proactive scanning, and runtime protections were recommended to minimize early exposure windows. The research highlights risks if vulnerability timelines are not tightly controlled and calls for standardized, secure processes. (AQUASEC.COM)

No comments:

Post a Comment


Search This Blog

ARCHIVE List 2011 - Present