Google has announced that it’s expanding its Vulnerability Rewards Program (VRP) to compensate researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security. https://thehackernews.com/2023/10/google-expands-its-bug-bounty-program.html
T-Mobile discloses 2nd data breach of 2023, this one leaking account PINs and more
T-Mobile on Monday said it experienced a hack that exposed account PINs and other customer data in the company’s second network intrusion this year and the ninth since 2018.
The intrusion, which started on February 24 and lasted until March 30, affected 836 customers, according to a notification on the website of Maine Attorney General Aaron Frey.
Title: Cisco Zero-Day Exploited to Implant Malicious Lua Backdoor on Thousands of Devices
Cisco has issued a warning about an actively exploited zero-day vulnerability (CVE-2023-20273) in its IOS XE, which allows a threat actor to deploy a malicious implant on affected devices. This flaw is related to a privilege escalation issue in the web UI feature and has been used alongside another vulnerability (CVE-2023-20198) in an exploit chain. The attacker first gains initial access using CVE-2023-20198, creates a local user, and then elevates privileges to write the implant to the file system. A fix for both vulnerabilities is expected to be available to customers from October 22, 2023. In the meantime, it is recommended to disable the HTTP server feature to protect vulnerable devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that these vulnerabilities can allow attackers to take control of affected systems, potentially leading to unfettered remote access, network monitoring, traffic manipulation, and persistent network access. Over 36,000 Cisco devices running vulnerable IOS XE software have been compromised by threat actors, primarily affecting smaller entities and individuals.
With estimates indicating only five to 10 per cent of frauds are ever reported to the Canadian Anti-Fraud Centre, the actual losses are likely in the billions.
Investment scams leading the way
Of the $283 million in fraud losses reported in the first six months of 2023, investment scams accounted for losses of $161.4 million, according to the Canadian Anti-Fraud Centre. Projected over an entire year, investment scam losses are on pace to surpass last year’s total of $305.4 million.
The most common method of solicitation is through search engine optimization. If you’re thinking of investing in cryptocurrency, for example, you might enter “crypto investments” into a search engine.
While email phishing scams have been around for years, targeted cyberattacks, known as spear phishing, are among the fastest growing scams targeting businesses and organizations.
In many cases, fraudsters will research and collect information on their intended target.
Over the first six months of 2023, spear phishing scams have accounted for reported losses of more than $33.7 million.
In many cases, scammers will infiltrate or spoof a business or organization’s email account to intercept a large payment due to a vendor, requesting that funds be redirected to an alternate bank account. A targeted business may receive a duplicate invoice with updated payment details supposedly from a supplier or contractor.
During the winter months of 2023, police allege the organization was invoiced for work done by a contractor that was known to the group. The contractor unknowingly had its business email compromised and spoofed to look like the contractor’s email address. The social service organization was advised to send outstanding payments of more than $94,000 to a new bank account.
To avoid becoming a victim, Peel police urge employers to be vigilant while examining changes to payments, account numbers and confirming the identity of those in charge of receiving payments. If you receive a request to send payments to a vendor or employee through an alternate method, pick up the phone and call the recipient to confirm the details.
Romance scams still prevalent
Romance scams accounted for $26.7 million in losses over the first six months of this year, according to the Canadian Anti-Fraud Centre. Horncastle notes these frauds can also be coupled with investment scams, in cases where the victim develops a relationship with the suspect and invests in a fraudulent investment scheme.
Emergency scams
Emergency scams, also known as grandparent scams, accounted for more than $9.2 million in losses over the first six months of this year. It’s a telephone scam that’s been around for years, often targeting older adults. A caller posing as a grandchild will request bail money or funds to cover an emergency.
Information security vs cyber security vs network security | ITPro
This article goes over the comparison of Information technology, cyber security and network security. It shows that information security is centered around preventing unauthorized access to critical data or personal information your organization stores. It shows that IS involves three categories which are confidentiality, integrity, and availability. Cybersecurity is the process your organization must follow to be aware of the latest and emerging cyber security threats and trends. Network security is how an organization protects the usability and integrity of its network and data. This filed includes both hardware and software involved in a network and aims to prevent threats from entering the business networks. While information security is the protection of your data from any unauthorized access, CS is the protecting it from unauthorized access specifically in the online team. Network security aims to protect data as it travels through the network between the users and endpoints and normally involves protecting against SoS attacks, viruses etc.
IS- Protects data from unauthorized access. EX implementing controls from intrusion detection systems or making sure hard copy files are locked down.
CS- protects data from unauthorized access specifically in the online realm. EX. CS centers preventing ransomware attacks, spyware etc.
NS- must protect data flowing over a particular network- focuses purely on the network, IS is concerned with information overall.
NS is broadly a subset of CS which, itself, is a subset of IS.
“Having effective IS policies in place is crucial to this, with the volume of data expanding. But so too is adopting cyber security principles to stay abreast to the latest threats, Strong network policies, meanwhile ensuring the organization corporate network is airtight and all data transmitted across it is safe from exploitation”.
Internet infrastructure providers Google Cloud, Cloudflare, and Amazon Web Services recently faced the largest distributed-denial-of-service (DDoS) attacks to date. These attacks, occurring since August, exploited a zero-day vulnerability and were unprecedented in scale. Google reported that the peak requests per second (rps) exceeded 398 million, over seven times larger than the previous record-breaking DDoS attack. This attack leveraged a novel HTTP/2 “Rapid Reset” technique based on stream multiplexing, allowing a single connection to have an indefinite number of requests in flight. Despite the sheer volume, the attack was executed using a relatively small botnet of approximately 20,000 machines. The zero-day vulnerability gave threat actors a powerful tool for launching attacks of unparalleled magnitude. To mitigate the impact and maintain service, affected companies employed DDoS mitigation techniques like load balancing. A partnership among multiple infrastructure providers helped prevent widespread outages, underscoring the collaborative efforts required to defend against such large-scale attacks.
Researchers have discovered new ways for malicious actors to steal data from Apple products, including Macs, iPhones, and iPads. It’s known as “iLeakage.” This attack deceives the web browser Safari into displaying a malicious webpage and obtaining data from it. The attacker needs to convince the Safari user to visit a phony website in order for this to function. The real website, from which they hope to steal information, is then secretly opened by this fake one. The researchers from several universities that made this discovery demonstrated how passwords and other confidential information may be obtained using it.
They even created films showing off how iLeakage can steal view history on YouTube, Gmail subject lines, and Instagram login credentials. They reported this to Apple in September 2022, but to date, Apple has only fixed Safari on Macs. Additionally, the researchers claim that while Safari is enabled by default, it can be a little unreliable. Apple promised to address this further in their upcoming software release.
Luckily, there is no evidence that this attack has been used “in the wild,” and it is not a simple task to perform. It requires an expert in web browser functionality and Safari configuration. The bad news is that, since it leaves no trace in the computer’s records, even if it did occur, it would be difficult to detect. This exploit is limited to Safari on Mac computers because it is not present in other browsers such as Edge, Firefox, and Chrome. On iPhones and iPads, however, because Firefox, Chrome, and Edge are built on top of Safari, it might function with other browsers.
Booking.com is once again making headlines. Some customers who have made reservations using the website are receiving emails urging them to reconfirm their bookings by sharing their bank credentials, under the threat of their reservations being canceled. It’s important to note that Booking.com has denied any responsibility for this breach and has instead attributed the problem to its partner affiliates.
“In each case the customer has either checked in, or was due to check in, to a hotel they had reserved using Booking.com. The email – sent from noreply@booking.com – claims their stay may have to be cancelled unless they hand over their bank card details via an embedded link.
If they fail to do so within four or 12 hours – the emails vary slightly – the reservation will be cancelled. Notifications of the email have also appeared in the company’s app on mobile phones.”
CCleaner says hackers stole users’ personal data during MOVEit mass-hack
Hackers used a MOVEit file transfer tool to steal what was described as a “trove of personal information” from CCleaner’s paying subscribers. The breach occurred back in May with less than 2% of their users having been affected. As usual they did not provide specifics for obvious reasons. People are questioning why it took so long for CCleaner report the breach, not even to those affected.
A spokesperson for Gen Digital, (CCleaner parent company) reported that hackers stole users contact info such as address, phone number, and email address. Users were contacted with the news that hackers stole their contact and purchase information. Back in 2017, CCleaner was hacked with hackers planting malware in the code to monitor over two million users. This tool allowed hackers to target high profile tech and telecom companies.
Biden has announced an Executive Order (EO) that acknowledges the security risks with advanced technology, specifically AI. This comes ahead of the UK’s AI Safety Summit from November 1st – 2nd where the UK is establishing some regulatory grounds for AI development and is meant to play complementary to the UK’s AI regulatory efforts as well as Japan’s leadership of the G7 Hiroshima Process, India’s leadership as Chair of the Global Partnership on AI and UN’s ongoing discussions. The US gov’t has advised actions to protect from potential AI risks that largely lie in the hands of the AI developers. These actions boost a community around AI security. The one action that I found interesting was the action to “protect against the risks of using AI to engineer dangerous biological materials.” So confounded by this, I was able to research that one of the most immediate bioengineering threats is surveillance via DNA databases. I may have come across this before but learning more in this program makes “old” news, news again! And apparently, the Chinese government has already used blood sampling to target a population, Uighur. One part of the EO that is particularly interesting is that it sets out plans to produce reports that will help maximize the benefits of AI for workers which is something that I am truly excited about (but also realistic). It seems the Biden administration wants to ensure responsible, progressive government use of AI effectively accelerating the rapid recruitment of “AI professionals”. It makes sense to jump on this bandwagon before the end of his term.
Article: U.S. sues SolarWinds for fraud over alleged cyber security neglect ahead of stunning Russian hack into Justice and Homeland Security departments
Texas-based energy company solar winds has been sued by the US government for failing to disclose important security info data that contributed to the 2020 Russian espionage hack. According to the SEC, the 2020 hack led to unauthorized access and data breaches in both the Justice and Homeland Security departments. The suit alleges that red flags and vulnerabilities were ignored by the company for years leading up to the 2020 breach and that improper data security led to risks within government functions and security. This situation reminds me of the Target case from our case studies, but this time with even more disastrous effects, causing possible cascading damage to government infrastructure
Title: Canada Bans WeChat and Kaspersky Apps On Government Devices
Link: https://thehackernews.com/2023/10/canada-bans-wechat-and-kaspersky-apps.html
Summary: Canada has banned Tencent’s WeChat and Kaspersky’s applications from government mobile devices, citing privacy and security risks. The decision, effective October 30, 2023, stems from concerns about these apps providing extensive access to device contents. The ban follows a similar action against TikTok in February 2023. Kaspersky criticized the move as politically motivated while the U.S. had previously flagged Kaspersky for national security concerns in March 2022.
https://thehackernews.com/2023/10/malicious-nuget-packages-caught.html
Malicious NuGet Packages Caught Distributing SeroXen RAT Malware
According to a new report, there’s ongoing malware that was published that used NuGet package manager to deploy a lesser-known malware. These deceptive NuGet packages act as a vehicle for delivering the SeroXen RAT, which is a remote access trojan. The individuals orchestrating this operation display a remarkable level of persistence, consistently attempting to breach the NuGet repository and continuously releasing fresh waves of malicious packages. A portion of these packages adopts the guise of reputable ones and takes advantage of NuGet’s MSBuild integrations feature to insert malevolent code through inline tasks. This tactic ultimately facilitates the execution of harmful code. The significance of this discovery underscores the urgent need for vigilance and the implementation of robust security measures to protect software supply chains against such threats.
Google has announced that it’s expanding its Vulnerability Rewards Program (VRP) to compensate researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security.
https://thehackernews.com/2023/10/google-expands-its-bug-bounty-program.html
T-Mobile discloses 2nd data breach of 2023, this one leaking account PINs and more
T-Mobile on Monday said it experienced a hack that exposed account PINs and other customer data in the company’s second network intrusion this year and the ninth since 2018.
The intrusion, which started on February 24 and lasted until March 30, affected 836 customers, according to a notification on the website of Maine Attorney General Aaron Frey.
https://arstechnica.com/information-technology/2023/05/t-mobile-discloses-2nd-data-breach-of-2023-this-one-leaking-account-pins-and-more/
Title: Cisco Zero-Day Exploited to Implant Malicious Lua Backdoor on Thousands of Devices
Cisco has issued a warning about an actively exploited zero-day vulnerability (CVE-2023-20273) in its IOS XE, which allows a threat actor to deploy a malicious implant on affected devices. This flaw is related to a privilege escalation issue in the web UI feature and has been used alongside another vulnerability (CVE-2023-20198) in an exploit chain. The attacker first gains initial access using CVE-2023-20198, creates a local user, and then elevates privileges to write the implant to the file system. A fix for both vulnerabilities is expected to be available to customers from October 22, 2023. In the meantime, it is recommended to disable the HTTP server feature to protect vulnerable devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that these vulnerabilities can allow attackers to take control of affected systems, potentially leading to unfettered remote access, network monitoring, traffic manipulation, and persistent network access. Over 36,000 Cisco devices running vulnerable IOS XE software have been compromised by threat actors, primarily affecting smaller entities and individuals.
Link – https://thehackernews.com/2023/10/cisco-zero-day-exploited-to-implant.html
‘It’s a huge problem’: Canadians lost $283.4M to scammers through first half of 2023
https://www.thespec.com/news/its-a-huge-problem-canadians-lost-283-4m-to-scammers-through-first-half-of-2023/article_17504ddd-3ab2-5919-8776-928832080aff.html
With estimates indicating only five to 10 per cent of frauds are ever reported to the Canadian Anti-Fraud Centre, the actual losses are likely in the billions.
Investment scams leading the way
Of the $283 million in fraud losses reported in the first six months of 2023, investment scams accounted for losses of $161.4 million, according to the Canadian Anti-Fraud Centre. Projected over an entire year, investment scam losses are on pace to surpass last year’s total of $305.4 million.
The most common method of solicitation is through search engine optimization. If you’re thinking of investing in cryptocurrency, for example, you might enter “crypto investments” into a search engine.
While email phishing scams have been around for years, targeted cyberattacks, known as spear phishing, are among the fastest growing scams targeting businesses and organizations.
In many cases, fraudsters will research and collect information on their intended target.
Over the first six months of 2023, spear phishing scams have accounted for reported losses of more than $33.7 million.
In many cases, scammers will infiltrate or spoof a business or organization’s email account to intercept a large payment due to a vendor, requesting that funds be redirected to an alternate bank account. A targeted business may receive a duplicate invoice with updated payment details supposedly from a supplier or contractor.
During the winter months of 2023, police allege the organization was invoiced for work done by a contractor that was known to the group. The contractor unknowingly had its business email compromised and spoofed to look like the contractor’s email address. The social service organization was advised to send outstanding payments of more than $94,000 to a new bank account.
To avoid becoming a victim, Peel police urge employers to be vigilant while examining changes to payments, account numbers and confirming the identity of those in charge of receiving payments. If you receive a request to send payments to a vendor or employee through an alternate method, pick up the phone and call the recipient to confirm the details.
Romance scams still prevalent
Romance scams accounted for $26.7 million in losses over the first six months of this year, according to the Canadian Anti-Fraud Centre. Horncastle notes these frauds can also be coupled with investment scams, in cases where the victim develops a relationship with the suspect and invests in a fraudulent investment scheme.
Emergency scams
Emergency scams, also known as grandparent scams, accounted for more than $9.2 million in losses over the first six months of this year. It’s a telephone scam that’s been around for years, often targeting older adults. A caller posing as a grandchild will request bail money or funds to cover an emergency.
Information security vs cyber security vs network security | ITPro
This article goes over the comparison of Information technology, cyber security and network security. It shows that information security is centered around preventing unauthorized access to critical data or personal information your organization stores. It shows that IS involves three categories which are confidentiality, integrity, and availability. Cybersecurity is the process your organization must follow to be aware of the latest and emerging cyber security threats and trends. Network security is how an organization protects the usability and integrity of its network and data. This filed includes both hardware and software involved in a network and aims to prevent threats from entering the business networks. While information security is the protection of your data from any unauthorized access, CS is the protecting it from unauthorized access specifically in the online team. Network security aims to protect data as it travels through the network between the users and endpoints and normally involves protecting against SoS attacks, viruses etc.
IS- Protects data from unauthorized access. EX implementing controls from intrusion detection systems or making sure hard copy files are locked down.
CS- protects data from unauthorized access specifically in the online realm. EX. CS centers preventing ransomware attacks, spyware etc.
NS- must protect data flowing over a particular network- focuses purely on the network, IS is concerned with information overall.
NS is broadly a subset of CS which, itself, is a subset of IS.
“Having effective IS policies in place is crucial to this, with the volume of data expanding. But so too is adopting cyber security principles to stay abreast to the latest threats, Strong network policies, meanwhile ensuring the organization corporate network is airtight and all data transmitted across it is safe from exploitation”.
https://www.itpro.com/security/369418/information-security-vs-cyber-security-vs-network-security
Largest DDoS attacks ever reported by Google, Cloudflare and AWS
The DDoS attack was more than seven times larger than the previous recording breaking DDoS attack
https://www.cshub.com/attacks/news/record-breaking-ddos-attack
Internet infrastructure providers Google Cloud, Cloudflare, and Amazon Web Services recently faced the largest distributed-denial-of-service (DDoS) attacks to date. These attacks, occurring since August, exploited a zero-day vulnerability and were unprecedented in scale. Google reported that the peak requests per second (rps) exceeded 398 million, over seven times larger than the previous record-breaking DDoS attack. This attack leveraged a novel HTTP/2 “Rapid Reset” technique based on stream multiplexing, allowing a single connection to have an indefinite number of requests in flight. Despite the sheer volume, the attack was executed using a relatively small botnet of approximately 20,000 machines. The zero-day vulnerability gave threat actors a powerful tool for launching attacks of unparalleled magnitude. To mitigate the impact and maintain service, affected companies employed DDoS mitigation techniques like load balancing. A partnership among multiple infrastructure providers helped prevent widespread outages, underscoring the collaborative efforts required to defend against such large-scale attacks.
Title: iLeakage Attack Exploits Safari to Steal Sensitive Data From Macs, iPhones
Link: https://www.securityweek.com/ileakage-attack-exploits-safari-to-steal-sensitive-data-from-macs-iphones/
Researchers have discovered new ways for malicious actors to steal data from Apple products, including Macs, iPhones, and iPads. It’s known as “iLeakage.” This attack deceives the web browser Safari into displaying a malicious webpage and obtaining data from it. The attacker needs to convince the Safari user to visit a phony website in order for this to function. The real website, from which they hope to steal information, is then secretly opened by this fake one. The researchers from several universities that made this discovery demonstrated how passwords and other confidential information may be obtained using it.
They even created films showing off how iLeakage can steal view history on YouTube, Gmail subject lines, and Instagram login credentials. They reported this to Apple in September 2022, but to date, Apple has only fixed Safari on Macs. Additionally, the researchers claim that while Safari is enabled by default, it can be a little unreliable. Apple promised to address this further in their upcoming software release.
Luckily, there is no evidence that this attack has been used “in the wild,” and it is not a simple task to perform. It requires an expert in web browser functionality and Safari configuration. The bad news is that, since it leaves no trace in the computer’s records, even if it did occur, it would be difficult to detect. This exploit is limited to Safari on Mac computers because it is not present in other browsers such as Edge, Firefox, and Chrome. On iPhones and iPads, however, because Firefox, Chrome, and Edge are built on top of Safari, it might function with other browsers.
Booking.com is once again making headlines. Some customers who have made reservations using the website are receiving emails urging them to reconfirm their bookings by sharing their bank credentials, under the threat of their reservations being canceled. It’s important to note that Booking.com has denied any responsibility for this breach and has instead attributed the problem to its partner affiliates.
“In each case the customer has either checked in, or was due to check in, to a hotel they had reserved using Booking.com. The email – sent from noreply@booking.com – claims their stay may have to be cancelled unless they hand over their bank card details via an embedded link.
If they fail to do so within four or 12 hours – the emails vary slightly – the reservation will be cancelled. Notifications of the email have also appeared in the company’s app on mobile phones.”
Article: https://www.theguardian.com/money/2023/oct/23/bookingcom-customers-targeted-by-scam-confirmation-emails
Erskine Payton
In the News Article- Week 10
MIS 5211
Temple University
https://techcrunch.com/2023/10/27/ccleaner-says-hackers-stole-users-personal-data-during-moveit-mass-hack/
CCleaner says hackers stole users’ personal data during MOVEit mass-hack
Hackers used a MOVEit file transfer tool to steal what was described as a “trove of personal information” from CCleaner’s paying subscribers. The breach occurred back in May with less than 2% of their users having been affected. As usual they did not provide specifics for obvious reasons. People are questioning why it took so long for CCleaner report the breach, not even to those affected.
A spokesperson for Gen Digital, (CCleaner parent company) reported that hackers stole users contact info such as address, phone number, and email address. Users were contacted with the news that hackers stole their contact and purchase information. Back in 2017, CCleaner was hacked with hackers planting malware in the code to monitor over two million users. This tool allowed hackers to target high profile tech and telecom companies.
Biden Issues EO on Secure AI
Biden has announced an Executive Order (EO) that acknowledges the security risks with advanced technology, specifically AI. This comes ahead of the UK’s AI Safety Summit from November 1st – 2nd where the UK is establishing some regulatory grounds for AI development and is meant to play complementary to the UK’s AI regulatory efforts as well as Japan’s leadership of the G7 Hiroshima Process, India’s leadership as Chair of the Global Partnership on AI and UN’s ongoing discussions. The US gov’t has advised actions to protect from potential AI risks that largely lie in the hands of the AI developers. These actions boost a community around AI security. The one action that I found interesting was the action to “protect against the risks of using AI to engineer dangerous biological materials.” So confounded by this, I was able to research that one of the most immediate bioengineering threats is surveillance via DNA databases. I may have come across this before but learning more in this program makes “old” news, news again! And apparently, the Chinese government has already used blood sampling to target a population, Uighur. One part of the EO that is particularly interesting is that it sets out plans to produce reports that will help maximize the benefits of AI for workers which is something that I am truly excited about (but also realistic). It seems the Biden administration wants to ensure responsible, progressive government use of AI effectively accelerating the rapid recruitment of “AI professionals”. It makes sense to jump on this bandwagon before the end of his term.
Article Link : https://www.infosecurity-magazine.com/news/biden-issues-executive-order-on/
Article: U.S. sues SolarWinds for fraud over alleged cyber security neglect ahead of stunning Russian hack into Justice and Homeland Security departments
Texas-based energy company solar winds has been sued by the US government for failing to disclose important security info data that contributed to the 2020 Russian espionage hack. According to the SEC, the 2020 hack led to unauthorized access and data breaches in both the Justice and Homeland Security departments. The suit alleges that red flags and vulnerabilities were ignored by the company for years leading up to the 2020 breach and that improper data security led to risks within government functions and security. This situation reminds me of the Target case from our case studies, but this time with even more disastrous effects, causing possible cascading damage to government infrastructure
https://fortune.com/2023/10/31/us-sec-sues-solarwinds-fraud-cyber-security-neglect-russian-hack-justice-homeland-security-departments/
Title: Canada Bans WeChat and Kaspersky Apps On Government Devices
Link: https://thehackernews.com/2023/10/canada-bans-wechat-and-kaspersky-apps.html
Summary: Canada has banned Tencent’s WeChat and Kaspersky’s applications from government mobile devices, citing privacy and security risks. The decision, effective October 30, 2023, stems from concerns about these apps providing extensive access to device contents. The ban follows a similar action against TikTok in February 2023. Kaspersky criticized the move as politically motivated while the U.S. had previously flagged Kaspersky for national security concerns in March 2022.
https://thehackernews.com/2023/10/malicious-nuget-packages-caught.html
Malicious NuGet Packages Caught Distributing SeroXen RAT Malware
According to a new report, there’s ongoing malware that was published that used NuGet package manager to deploy a lesser-known malware. These deceptive NuGet packages act as a vehicle for delivering the SeroXen RAT, which is a remote access trojan. The individuals orchestrating this operation display a remarkable level of persistence, consistently attempting to breach the NuGet repository and continuously releasing fresh waves of malicious packages. A portion of these packages adopts the guise of reputable ones and takes advantage of NuGet’s MSBuild integrations feature to insert malevolent code through inline tasks. This tactic ultimately facilitates the execution of harmful code. The significance of this discovery underscores the urgent need for vigilance and the implementation of robust security measures to protect software supply chains against such threats.