News: Security & Privacy News

Scathing report on Medibank cyberattack highlights unenforced MFA

Tue, 18 Jun 2024 19:19:22 +0000

A scathing report by Australia's Information Commissioner details how misconfigurations and missed alerts allowed a hacker to breach Medibank and steal data from over 9 million people.

In October 2022, Australian health insurance provider Medibank disclosed that it had suffered a cyberattack that disrupted the company's operations.

A week later, the company confirmed that the threat actors stole all of its customer's personal data and a large number of health claims data, causing a data breach that impacted 9.7 million people.

The data from the attack was later leaked by a ransomware gang known as BlogXX, which was believed to be an offshoot of the shutdown REvil ransomware gang.

The attack was ultimately linked to a Russian national named Aleksandr Gennadievich Ermakov, who was sanctioned by Australia, the UK, and the USA.

OAIC's findings

In a new report released by the Office of the Australian Information Commissioner (OAIC), the agency's investigation determined that significant operational failures allowed the hacker to breach Medibank's network.

"The Commissioner alleges that from March 2021 to October 2022, Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988," reads an OAIC press statement.

According to the report, it all started with a Medibank contractor (IT Service Desk Operator) using his personal browser profile on his work computer and saving his Medibank credentials in the browser.

These credentials were then synced to his home computer, which became infected with information-stealing malware, allowing the threat actors to steal all the saved passwords in his browser on August 7, 2022. These credentials provided access to both a standard and an elevated access (admin) account at Medibank.

"During the Relevant Period, the Admin Account had access to most (if not all) of Medibank's systems, including network drives, management consoles, and remote desktop access to jump box servers (used to access certain Medibank directories and databases)," reads the OAIC report.

It is unclear if the attacker behind the Medibank breach purchased the stolen credentials from an online dark web cybercrime marketplace or conducted the information-stealing malware campaign.

However, the threat actor began using these credentials on August 12 to first breach the company's Microsoft Exchange server and then later to log into Medibank's Palo Alto Networks Global Protect Virtual Private Network (VPN) implementation, providing internal access to the corporate network.

The report states that Medibank failed to protect users' data as it had not enforced multi-factor authentication on VPN credentials and allowed anyone with access to the credentials to log into the device.

"The threat actor was able to authenticate and log onto Medibank's Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank's Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA). Rather, Medibank's Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required," continued the report.

Using this access to the internal network, the threat actor began spreading through the systems, stealing 520 GB of data from the company's MARS Database and MPLFiler systems between August 25 and October 13, 2022.

This data included customers' names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health-related information, and claims data (such as patient names, provider names, primary/secondary diagnosis and procedure codes, and treatment dates.

To make matters worse, the report alleges that the company's EDR software raised alerts about suspicious behavior on August 24 and 25, which were not properly triaged.

It wasn't until mid-October, when Medibank brought in a threat intelligence firm to investigate a Microsoft Exchange ProxyNotShell incident, that they discovered data was previously stolen in the cyberattack.

Protecting credentials with MFA

With billions of credentials having been stolen by information-stealing malware and data breaches, it creates a massive attack surface that is hard to defend against without additional defenses, such as multi-factor authentication.

All organizations must operate under the assumption that their corporate credentials have been exposed in some manner, and thus, using MFA adds an additional defense that makes it far more difficult for threat actors to breach a network.

This is especially true for VPN gateways, which are designed to be publicly exposed on the internet to allow remote employees to log in to the corporate networks.

However, this also provides an attack surface commonly targeted by ransomware gangs and other threat actors to breach networks and thus must be protected with additional defenses, such as MFA.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Chrome sends AI history search data to Google

Mon, 17 Jun 2024 20:26:19 +0000

Google is working on a new feature in Chrome that gives artificial intelligence control over a user's browsing history. Chrome users may then interact with the AI when they run searches in their browsing history.

Here are the highlights:

Chrome users may soon search the browsing history using natural language.
The browser stores contents of visited pages locally in encrypted form.
The feature submits search data to Google.

Google notes that search includes "general page content" as well as page titles and URLs. The feature returns "improved results" and works from the address bar and the history page according to Google.

Since it uses AI, it supports using "everyday language to search", according to Google.

Word of warning: Google displays a warning to users who manage the feature in Chrome. Under "things to consider", Google writes that data is always sent to Google when the feature is used.

Data includes the "history search terms, page content of best matches, and generated model outputs". Furthermore, Google confirms that the data may be accessed by human reviewers "to improve the feature". Chrome saves the content of pages "in an encrypted form" on the device.

This does not mean that Chrome reviewers do not get access to page contents, as MSPoweruser author Rafly Gilang suggested. Google even states that reviewers gain access to "page content of best matches".

There is no word about anonymization of personal data. It is possible that Google does that, but there is no evidence on the current "History search, powered by AI" page in the Chrome settings.

In other words, Google may gain access to personal information. A very simple example is a personal website or social media profile.

Good news is that the feature can be turned off or on in Chrome. Whether it is enabled by default or not remains to be seen. It would probably go against GDPR in the EU, if it would be turned on automatically.

Closing Words

Running searches across URLs, page titles, and content is certainly a desirable feature, provided that data stays local and users have full control over the feature.

The current history feature may only return matching URLs or titles. Extensions such as Memex were created in the past to allow users to search page contents as well.

Google's work on the AI-powered history search feature is ongoing. It is possible that things will change in future releases or that the entire feature is scrapped before official release.

Would you use an AI-powered history search feature?

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Amazon-Powered AI Cameras Used to Detect Emotions of Unwitting UK Train Passengers

Mon, 17 Jun 2024 13:54:34 +0000

CCTV cameras and AI are being combined to monitor crowds, detect bike thefts, and spot trespassers.

Thousands of people catching trains in the United Kingdom likely had their faces scanned by Amazon software as part of widespread artificial intelligence trials, new documents reveal. The image recognition system was used to predict travelers’ age, gender, and potential emotions—with the suggestion that the data could be used in advertising systems in the future.

During the past two years, eight train stations around the UK—including large stations such as London’s Euston and Waterloo, Manchester Piccadilly, and other smaller stations—have tested AI surveillance technology with CCTV cameras with the aim of alerting staff to safety incidents and potentially reducing certain types of crime.

The extensive trials, overseen by rail infrastructure body Network Rail, have used object recognition—a type of machine learning that can identify items in videofeeds—to detect people trespassing on tracks, monitor and predict platform overcrowding, identify antisocial behavior (“running, shouting, skateboarding, smoking”), and spot potential bike thieves. Separate trials have used wireless sensors to detect slippery floors, full bins, and drains that may overflow.

The scope of the AI trials, elements of which have previously been reported, was revealed in a cache of documents obtained in response to a freedom of information request by civil liberties group Big Brother Watch. “The rollout and normalization of AI surveillance in these public spaces, without much consultation and conversation, is quite a concerning step,” says Jake Hurfurt, the head of research and investigations at the group.

The AI trials used a combination of “smart” CCTV cameras that can detect objects or movements from images they capture and older cameras that have their videofeeds connected to cloud-based analysis. Between five and seven cameras or sensors were included at each station, note the documents, which are dated from April 2023. One spreadsheet lists 50 possible AI use cases, although not all of these appear to have been used in the tests. One station, London Euston, was due to trial a “suicide risk” detection system, but the documents say the camera failed and staff did not see need to replace it due to the station being a “terminus” station.

Hurfurt says the most “concerning” element of the trials focused on “passenger demographics.” According to the documents, this setup could use images from the cameras to produce a “statistical analysis of age range and male/female demographics,” and is also able to “analyze for emotion” such as “happy, sad, and angry.”

The images were captured when people crossed a “virtual tripwire” near ticket barriers, and were sent to be analyzed by Amazon’s Rekognition system, which allows face and object analysis. It could allow passenger “satisfaction” to be measured, the documents say, noting that “this data could be utilized to maximum advertising and retail revenue.”

AI researchers have frequently warned that using the technology to detect emotions is “unreliable,” and some say the technology should be banned due to the difficulty of working out how someone may be feeling from audio or video. In October 2022, the UK’s data regulator, the Information Commissioner’s Office, issued a public statement warning against the use of emotion analysis, saying the technologies are “immature” and “they may not work yet, or indeed ever.”

Network Rail did not answer questions about the trials sent by WIRED, including questions about the current status of AI usage, emotion detection, and privacy concerns.

“We take the security of the rail network extremely seriously and use a range of advanced technologies across our stations to protect passengers, our colleagues, and the railway infrastructure from crime and other threats,” a Network Rail spokesperson says. “When we deploy technology, we work with the police and security services to ensure that we’re taking proportionate action, and we always comply with the relevant legislation regarding the use of surveillance technologies.”

It is unclear how widely the emotion detection analysis was deployed, with the documents at times saying the use case should be “viewed with more caution” and reports from stations saying it is “impossible to validate accuracy.” However, Gregory Butler, the CEO of data analytics and computer vision company Purple Transform, which has been working with Network Rail on the trials, says the capability was discontinued during the tests and that no images were stored when it was active.

The Network Rail documents about the AI trials describe multiple use cases involving the potential for the cameras to send automated alerts to staff when they detect certain behavior. None of the systems use controversial face recognition technology, which aims to match people’s identities to those stored in databases.

“A primary benefit is the swifter detection of trespass incidents,” says Butler, who adds that his firm’s analytics system, SiYtE, is in use at 18 sites, including train stations and alongside tracks. In the past month, Butler says, there have been five serious cases of trespassing that systems have detected at two sites, including a teenager collecting a ball from the tracks and a man “spending over five minutes picking up golf balls along a high-speed line.”

At Leeds train station, one of the busiest outside of London, there are 350 CCTV cameras connected to the SiYtE platform, Butler says. “The analytics are being used to measure people flow and identify issues such as platform crowding and, of course, trespass—where the technology can filter out track workers through their PPE uniform,” he says. “AI helps human operators, who cannot monitor all cameras continuously, to assess and address safety risks and issues promptly.”

The Network Rail documents claim that cameras used at one station, Reading, allowed police to speed up investigations into bike thefts by being able to pinpoint bikes in the footage. “It was established that, whilst analytics could not confidently detect a theft, but they could detect a person with a bike,” the files say. They also add that new air quality sensors used in the trials could save staff time from manually conducting checks. One AI instance uses data from sensors to detect “sweating” floors, which have become slippery with condensation, and alert staff when they need to be cleaned.

While the documents detail some elements of the trials, privacy experts say they are concerned about the overall lack of transparency and debate about the use of AI in public spaces. In one document designed to assess data protection issues with the systems, Hurfurt from Big Brother Watch says there appears to be a “dismissive attitude” toward people who may have privacy concerns. One question asks: “Are some people likely to object or find it intrusive?” A staff member writes: “Typically, no, but there is no accounting for some people.”

At the same time, similar AI surveillance systems that use the technology to monitor crowds are increasingly being used around the world. During the Paris Olympic Games in France later this year, AI video surveillance will watch thousands of people and try to pick out crowd surges, use of weapons, and abandoned objects.

“Systems that do not identify people are better than those that do, but I do worry about a slippery slope,” says Carissa Véliz, an associate professor in psychology at the Institute for Ethics in AI, at the University of Oxford. Véliz points to similar AI trials on the London Underground that had initially blurred faces of people who might have been dodging fares, but then changed approach, unblurring photos and keeping images for longer than was initially planned.

“There is a very instinctive drive to expand surveillance,” Véliz says. “Human beings like seeing more, seeing further. But surveillance leads to control, and control to a loss of freedom that threatens liberal democracies.”

Source

ASUS warns of critical remote authentication bypass on 7 routers

Sat, 15 Jun 2024 19:09:33 +0000

ASUS has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices.

The flaw, tracked as CVE-2024-3080 (CVSS v3.1 score: 9.8 “critical”), is an authentication bypass vulnerability allowing unauthenticated, remote attackers to take control of the device.

ASUS says the issue impacts the following router models:

XT8 (ZenWiFi AX XT8) – Mesh WiFi 6 system offering tri-band coverage with speeds up to 6600 Mbps, AiMesh support, AiProtection Pro, seamless roaming, and parental controls.
XT8_V2 (ZenWiFi AX XT8 V2) – Updated version of the XT8, maintaining similar features with enhancements in performance and stability.
RT-AX88U – Dual-band WiFi 6 router with speeds up to 6000 Mbps, featuring 8 LAN ports, AiProtection Pro, and adaptive QoS for gaming and streaming.
RT-AX58U – Dual-band WiFi 6 router providing up to 3000 Mbps, with AiMesh support, AiProtection Pro, and MU-MIMO for efficient multi-device connectivity.
RT-AX57 – Dual-band WiFi 6 router designed for basic needs, offering up to 3000 Mbps, with AiMesh support and basic parental controls.
RT-AC86U – Dual-band WiFi 5 router with speeds up to 2900 Mbps, featuring AiProtection, adaptive QoS, and game acceleration.
RT-AC68U – Dual-band WiFi 5 router offering up to 1900 Mbps, with AiMesh support, AiProtection, and robust parental controls.

ASUS suggests that people update their devices to the latest firmware versions available on its download portals (links for each model above). Firmware update instructions are available on this FAQ page.

For those unable to update the firmware immediately, the vendor suggests they ensure their account and WiFi passwords are strong (over 10 non-consecutive characters long).

Moreover, it is recommended to disable internet access to the admin panel, remote access from WAN, port forwarding, DDNS, VPN server, DMZ, and port trigger.

One more vulnerability addressed on the same package is CVE-2024-3079, a high-severity (7.2) buffer overflow problem that requires admin account access to exploit.

Taiwan's CERT has also informed the public about CVE-2024-3912 in a post yesterday, which is a critical (9.8) arbitrary firmware upload vulnerability allowing unauthenticated, remote attackers to execute system commands on the device.

The flaw impacts multiple ASUS router models, but not all will be getting security updates due to them having reached their end-of-life (EoL).

The proposed solution per impacted model is:

DSL-N17U, DSL-N55U_C1, DSL-N55U_D1, DSL-N66U: Upgrade to firmware version 1.1.2.3_792 or later.
DSL-N12U_C1, DSL-N12U_D1, DSL-N14U, DSL-N14U_B1: Upgrade to firmware version 1.1.2.3_807 or later.
DSL-N16, DSL-AC51, DSL-AC750, DSL-AC52U, DSL-AC55U, DSL-AC56U: Upgrade to firmware version 1.1.2.3_999 or later.
DSL-N10_C1, DSL-N10_D1, DSL-N10P_C1, DSL-N12E_C1, DSL-N16P, DSL-N16U, DSL-AC52, DSL-AC55: EoL date reached, replacement is recommended.

Download Master security updates

Finally, ASUS announced an update to Download Master, a utility used on ASUS routers that enables users to manage and download files directly to a connected USB storage device via torrent, HTTP, or FTP.

The newly released Download Master version 3.1.0.114 addresses five medium to high-severity issues concerning arbitrary file upload, OS command injection, buffer overflow, reflected XSS, and stored XSS problems.

Though none of those is as critical as CVE-2024-3080, it is recommended that users upgrade their utility to version 3.1.0.114 or later for optimal security and protection.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Mozilla Firefox can now secure access to passwords with device credentials

Sat, 15 Jun 2024 06:29:25 +0000

Mozilla Firefox finally allows you to further protect local access to stored credentials in the browser's password manager using your device's login, including a password, fingerprint, pin, or other biometrics.

To be clear, this new feature does not protect against information-stealing malware but rather prevents people with physical or remote access to the device from using the stored credentials without first authenticating with the device.

Like all modern web browsers, Firefox includes a password manager to create unique passwords for every site you visit and then save them in the browser for easier logins in the future.

Google Chromium browsers, such as Google Chrome, Brave, and Microsoft Edge, have included a feature for some time that prevents anyone with local access to your device from viewing saved credentials of filling in login forms.

For example, when attempting to do so on Windows, the browser will open an operating system authentication prompt, asking the user to log in before the credentials will be accessed.

With the release of Firefox 127, Mozilla has finally added a similar feature to the browser.

"For added protection on MacOS and Windows, a device sign in (e.g. your operating system password, fingerprint, face or voice login if enabled) can be required when accessing and filling stored passwords in the Firefox Password Manager about:logins page," reads the release notes.

Using Windows authentication to access the Firefox password store

Source: BleepingComputer

Unfortunately, while this protects local access to the password manager, it does not prevent information-stealing malware from stealing stored credentials from infected devices.

Credentials are stored in an encrypted format on disk but are easily decrypted using open-source tools, as the decryption key is stored in the Firefox data.

To further secure Firefox's password manager, Mozilla suggests setting a Primary Password, which is used to encrypt the password database instead.

Setting a Primary Password in Firefox

Source: BleepingComputer

As these Primary passwords are only known to you and not stored on your computer, they cannot be exported by threat actors, tools, or malware unless they first brute force the password.

However, primary passwords can still be brute forced, so using a long and complicated password is important to make that task much harder, if not impossible, with current hardware.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Did Apple just Sherlock our favorite password managers?

Fri, 14 Jun 2024 19:50:09 +0000

Is there a future for third-party password manager apps now that Apple has its own?

Password managers are essential. They keep track of your passwords, encourage better security practices, and generally help to manage your life across your devices. They’re the kind of feature that really should be built into every device — and Apple is massively expanding their reach with the launch of its new Passwords app, announced this week at WWDC.

We have companies like 1Password and LastPass to thank for the popularity of today’s password managers. But an announcement like Apple’s puts them in a tough position: now that Apple has a free, built-in Passwords app, is there a future for the third-party apps that defined the space?

So far, the leaders behind those apps think there is. “You’ve got to have the ability to not only go across browsers and apps, but also across multiple devices running multiple operating systems,” says LastPass CEO Karim Toubba.

Password managers have long competed against platform owners

Password managers have been competing against platform owners for a long time. Google has a password manager tied to your account that can sync your passwords across Chrome and Android, and Microsoft’s Edge has a built-in password manager, too.

But the big advantage of third-party password managers has been compatibility with a wide range of platforms. They are also generally more robust than first-party offerings. Although those additional features often come at a cost, paying for a widely accessible password manager is usually worth the price.

Apple’s Passwords app is mostly focused on Apple products — it will be available on iPhone, iPad, Mac, and the Vision Pro — though you’ll also be able to access it on Windows via the iCloud for Windows app. Notice that Google is missing from that list; Apple didn’t say anything about Passwords support for Android, the most-used mobile operating system in the world, or Chrome, the most popular web browser in the world, despite the fact that there is currently an iCloud Passwords app available on the Chrome Web Store. Apple didn’t reply to a request for comment.

That lack of broad platform support could mean Apple’s Passwords app isn’t as obvious of a choice as it might seem. All four of the companies I talked to — LastPass, Dashlane, Bitwarden, and Proton — zeroed in on the importance of cross-compatibility. (1Password declined to comment.)

“What users appreciate most about Dashlane is that it seamlessly works across any platform, any device, any time,” says Dashlane chief product officer Donald Hasson. “The vast majority of our users have Dashlane on multiple platforms. Having options, especially when it comes to where and how you save your credentials, is key.”

“Apple’s track record with cross-platform support, such as the limited functionality of iCloud for Windows and conflicts with Google over SMS standards, raises concerns about the usability of their Passwords app across different platforms,” says Proton Pass product lead Son Nguyen.

The makers of password managers have also found that their users tend to stick around. “Once people start to get real value out of the application, it’s actually extremely sticky,” says LastPass CEO Toubba.

Apple’s Passwords app could be great for anyone who is deep in the company’s ecosystem and primarily uses Apple devices. Even better, the Passwords app is free. But I think third-party password managers will be fine. If you need to access your passwords across a range of devices and platforms, Apple’s Passwords app may not cut it.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Mozilla reinstates Russians’ access to Firefox add-ons banned by federal censor

Thu, 01 Jan 1970 00:00:00 +0000

A day after reports that Mozilla had complied with orders from government officials and restricted access in Russia to several Firefox add-ons used to circumvent censorship, the company announced on Thursday that it’s reversed course and restored Russians’ access to the VPN and proxy-server technology. A spokesman told the newspaper Kommersant that Mozilla remains committed to supporting users in Russia and worldwide:

In alignment with our commitment to an open and accessible Internet, Mozilla will reinstate previously restricted listings in Russia. Our initial decision to temporarily restrict these listings was made while we considered the regulatory environment in Russia and the potential risk to our community and staff.

Source

Seeing Ads on YouTube? Google is testing server-side ads that break adblockers

Thu, 13 Jun 2024 22:33:29 +0000

If you run an adblocker in your browser of choice and still see ads on YouTube, then you have been selected for an experiment on the popular streaming website.

Yesterday, the official X account of SponsorBlock revealed that Google is testing server-side ads on YouTube. The new ad delivery technique injects ads into the video stream. The makers of the popular service noticed that it is breaking it, as the timestamps were not correct anymore.

At about the same time, users started to report issues with ads on YouTube on sites like Reddit. Most said that they were now seeing unskippable ads on YouTube, even while they were using adblockers like uBlock Origin.

Reports suggest that Google is blocking controls of the video on top of that, so that features such as skipping ahead are not active while the ad is playing.

Extension developers are scrambling to gain access to this new form of ad delivery on YouTube to test their extensions against it and find ways around it.

It is too early to say if there will be workarounds.

Some users have suggested that checking for yt.config_.EXPERIMENT_FLAGS.html5_enable_ssap_entity_id in the browser's Web Developer console reveals if the experiment is running currently. The return of "undefined" means that it is not currently.

The future of content blocking on YouTube

Google is experimenting all the time to deliver ads to content blocking users of the service. To mention just a few:

Bringing unskippable ads to YouTube TV.

Google is testing up to 10 unskippable ads on YouTube.

Showing Ad blockers not allowed messages.

The latest experiment adds a new dimension, as it introduces server-side ad injections.

While it breaks timestamps for now, that would be fixable easily by Google, as the company knows the playtime of ads.

It is too early to say if server-side ad injections will be Google's trump card against content blockers. Once extension creators get to experience the new system first-hand, they may find ways to deal with it again.

It is also unclear if extensions like Ad Accelerator or Ad Speedup that speed up or skip ads will continue to work.

It is a cat and mouse game that seemingly neve ends.

It will be interesting to see how ad-blocking uses react when advertisement cannot be blocked anymore on YouTube. Will they bite in the apple and endure ads? Will they subscribe to YouTube Premium? Or will they reduce their consumption of videos on YouTube?

Do you watch videos on YouTube? What would you do if ads cannot be blocked anymore on the site, if you block them of course?

Source

Pakistan-linked Malware Campaign Evolves to Target Windows, Android, and macOS

Thu, 13 Jun 2024 21:30:42 +0000

Threat actors with ties to Pakistan have been linked to a long-running malware campaign dubbed Operation Celestial Force since at least 2018.

The activity, still ongoing, entails the use of an Android malware called GravityRAT and a Windows-based malware loader codenamed HeavyLift, according to Cisco Talos, which are administered using another standalone tool referred to as GravityAdmin.

The cybersecurity attributed the intrusion to an adversary it tracks under the moniker Cosmic Leopard (aka SpaceCobra), which it said exhibits some level of tactical overlap with Transparent Tribe.

"Operation Celestial Force has been active since at least 2018 and continues to operate today — increasingly utilizing an expanding and evolving malware suite — indicating that the operation has likely seen a high degree of success targeting users in the Indian subcontinent," security researchers Asheer Malhotra and Vitor Ventura said in a technical report shared with The Hacker News.

GravityRAT first came to light in 2018 as a Windows malware targeting Indian entities via spear-phishing emails, boasting of an ever-evolving set of features to harvest sensitive information from compromised hosts. Since then, the malware has been ported to work on Android and macOS operating systems, turning it into a multi-platform tool.

Subsequent findings from Meta and ESET last year uncovered continued use of the Android version of GravityRAT to target military personnel in India and among the Pakistan Air Force by masquerading it as cloud storage, entertainment, and chat apps.

Cisco Talos' findings bring all these disparate-but-related activities under a common umbrella, driven by evidence that points to the threat actor's use of GravityAdmin to orchestrate these attacks.

Cosmic Leopard has been predominantly observed employing spear-phishing and social engineering to establish trust with prospective targets, before sending them a link to a malicious site that instructs them to download a seemingly innocuous program that drops GravityRAT or HeavyLift depending on the operating system used.

GravityRAT is said to have been put to use as early as 2016. GravityAdmin, on the other hand, is a binary used to commandeer infected systems since at least August 2021 by establishing connections with GravityRAT and HeavyLift's command-and-control (C2) servers.

"GravityAdmin consists of multiple inbuilt User Interfaces (UIs) that correspond to specific, codenamed, campaigns being operated by malicious operators," the researchers noted. "For example, 'FOXTROT,' 'CLOUDINFINITY,' and 'CHATICO' are names given to all Android-based GravityRAT infections whereas 'CRAFTWITHME,' 'SEXYBER,' and 'CVSCOUT' are names for attacks deploying HeavyLift."

The newly discovered component of the threat actor's arsenal is HeavyLift, an Electron-based malware loader family distributed via malicious installers targeting the Windows operating system. It also has similarities with GravityRAT's Electron versions documented previously by Kaspersky in 2020.

The malware, once launched, is capable of gathering and exporting system metadata to a hard-coded C2 server, following it periodically polls the server for any new payloads to be executed on the system. What's more, it's designed to perform similar functions on macOS as well.

"This multi-year operation continuously targeted Indian entities and individuals likely belonging to defense, government, and related technology spaces," the researchers said.

Source

Cybercriminals Employ PhantomLoader to Distribute SSLoad Malware

Thu, 13 Jun 2024 21:28:10 +0000

The nascent malware known as SSLoad is being delivered by means of a previously undocumented loader called PhantomLoader, according to findings from cybersecurity firm Intezer.

"The loader is added to a legitimate DLL, usually EDR or AV products, by binary patching the file and employing self-modifying techniques to evade detection," security researchers Nicole Fishbein and Ryan Robinson said in a report published this week.

SSLoad, likely offered to other threat actors under a Malware-as-a-Service (MaaS) model owing to its different delivery methods, infiltrates systems through phishing emails, conducts reconnaissance, and pushes additional types of malware down to victims.

Prior reporting from Palo Alto Networks Unit 42 and Securonix has revealed the use of SSLoad to deploy Cobalt Strike, a legitimate adversary simulation software often used for post-exploitation purposes. The malware has been detected since April 2024.

The attack chains typically involve the use of an MSI installer that, when launched, initiates the infection sequence. Specifically, it leads to the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for an antivirus software called 360 Total Security ("MenuEx.dll").

The first-stage malware is designed to extract and run the payload, a Rust-based downloader DLL that, in turn, retrieves the main SSLoad payload from a remote server, the details of which are encoded in an actor-controlled Telegram channel that servers as dead drop resolver.

Also written in Rust, the final payload fingerprints the compromised system and sends the information in the form of a JSON string to the command-and-control (C2) server, after which the server responds with a command to download more malware.

"SSLoad demonstrates its capability to gather reconnaissance, attempt to evade detection and deploy further payloads through various delivery methods and techniques," the researchers said, adding its dynamic string decryption and anti-debugging measures "emphasize its complexity and adaptability."

The development comes as phishing campaigns have also been observed disseminating remote access trojans such as JScript RAT and Remcos RAT to enable persistent operation and execution of commands received from the server.

Source

New Attack Technique 'Sleepy Pickle' Targets Machine Learning Models

Thu, 13 Jun 2024 21:26:18 +0000

The security risks posed by the Pickle format have once again come to the fore with the discovery of a new "hybrid machine learning (ML) model exploitation technique" dubbed Sleepy Pickle.

The attack method, per Trail of Bits, weaponizes the ubiquitous format used to package and distribute machine learning (ML) models to corrupt the model itself, posing a severe supply chain risk to an organization's downstream customers.

"Sleepy Pickle is a stealthy and novel attack technique that targets the ML model itself rather than the underlying system," security researcher Boyan Milanov said.

While pickle is a widely used serialization format by ML libraries like PyTorch, it can be used to carry out arbitrary code execution attacks simply by loading a pickle file (i.e., during deserialization).

"We suggest loading models from users and organizations you trust, relying on signed commits, and/or loading models from [TensorFlow] or Jax formats with the from_tf=True auto-conversion mechanism," Hugging Face points out in its documentation.

Sleepy Pickle works by inserting a payload into a pickle file using open-source tools like Fickling, and then delivering it to a target host by using one of the four techniques such as an adversary-in-the-middle (AitM) attack, phishing, supply chain compromise, or the exploitation of a system weakness.

"When the file is deserialized on the victim's system, the payload is executed and modifies the contained model in-place to insert backdoors, control outputs, or tamper with processed data before returning it to the user," Milanov said.

Put differently, the payload injected into the pickle file containing the serialized ML model can be abused to alter model behavior by tampering with the model weights, or tampering with the input and output data processed by the model.

In a hypothetical attack scenario, the approach could be used to generate harmful outputs or misinformation that can have disastrous consequences to user safety (e.g., drink bleach to cure flu), steal user data when certain conditions are met, and attack users indirectly by generating manipulated summaries of news articles with links pointing to a phishing page.

Trail of Bits said that Sleepy Pickle can be weaponized by threat actors to maintain surreptitious access on ML systems in a manner that evades detection, given that the model is compromised when the pickle file is loaded in the Python process.

This is also more effective than directly uploading a malicious model to Hugging Face, as it can modify model behavior or output dynamically without having to entice their targets into downloading and running them.

"With Sleepy Pickle attackers can create pickle files that aren't ML models but can still corrupt local models if loaded together," Milanov said. "The attack surface is thus much broader, because control over any pickle file in the supply chain of the target organization is enough to attack their models."

"Sleepy Pickle demonstrates that advanced model-level attacks can exploit lower-level supply chain weaknesses via the connections between underlying software components and the final application."

Source

Google wants to make it impossible to block YouTube ads as they may be inside videos

Thu, 13 Jun 2024 19:59:18 +0000

Google has been constantly trying to find ways to stop adblockers from blocking ads on its YouTube platform. In June last year, it started limiting videos to just three if it detected an adblock. This was done with a prompt which later got revised to one where it would count down 30-60 seconds before an ad would start playing.

As such efforts have not born the fruit Google had hoped for since adblockers like uBlock Origin also evolved to counter them, in April this year, the company clearly expressed its displeasure at the entire situation with some stern words.

Google now apparently wants to make it impossible for traditional adblockers to block ads on its video platform. According to SponsorBlock, which helps block sponsored segments inside YouTube videos, which happens to be another major annoyance for viewers, Google is working on server-side injection of ads which means the ads will be inside the videos themselves.

The SponsporBlock developer has also published an FAQ about this new "experiment" YouTube wants to conduct and how it will affect SponsorBlock and adblockers:

Does this mean YouTube is live re-encoding content?

No, this is not needed. Online video streaming nowadays uses a "playlist" of video chunks. These chunks are seperately encoded videos, so can easily be swapped out, or concatted to. This also means that an ad-blocker could ignore specific chunks if they know which ones to ignore.

Is this the end of SponsorBlock?

No, if YouTube displays any UI such as a clickable link, that means it has to know how long the ad is. SponsorBlock could find this data as well. There is also the feature for clicking on a timestamp in a comment that would need to know the duration of the ad, so it should be findable somewhere, it just might be kind of hard.

In the short term, SponsorBlock will not work for people with this experiment.

Will this be the end of general adblockers?

Probably not. But it makes things harder. As always, uBlock Origin work best on Firefox-based browsers, especially now that we reach the end of manifest v2.

Hence, as you may note in the first query, SponsorBlock suggests it may not be impossible to block such server-side ads for adblockers if they can detect where the ads are placed and skip those parts entirely. However, it may still be a difficult exercise as this appears to be new territory for adblockers to conquer.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

X makes Likes private starting this week to help users avoid backlash for what they like

Wed, 12 Jun 2024 19:03:28 +0000

X (formerly Twitter) has announced via its Engineering account (@XEng) that it will be making a change to the way that Likes are displayed on the platform starting from this week. The change will make Likes private for all users, which is designed to "better protect your privacy" and will be music to the ears of public facing figures, allowing them to like to their heart's content without fear of backlash as also seen on Facebook in the past.

Previously this feature was limited to X Premium subscriptions only, however, this latest change will be made available to everyone. Users will no longer be able to see who liked someone else's post, but can see who liked their posts. Like counts will still be visible alongside other metrics for your posts, and you will still be able to see a list of posts that you have liked.

This isn't a big selling point for the Premium tier though, as the $16 a month subscription is now losing one of its features and reasons for users to subscribe. This subscription, which replaced what was previously Twitter Blue, still gives the ability to remove ads, a blue checkmark, and boosts to replies.

The change also comes as the platform makes changes to allow more adult content, which suggests there were some concerns following that announcement that people wouldn't be able to engage or interact with said content for fear of repercussion, even though these posts will show a content warning to users and that it cannot be placed in profile photos or account banners.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Police arrest Conti and LockBit ransomware crypter specialist

Wed, 12 Jun 2024 19:00:09 +0000

The Ukraine cyber police have arrested a 28-year-old Russian man in Kyiv for working with Conti and LockBit ransomware operations to make their malware undetectable by antivirus software and conducting at least one attack himself.

The investigation was backed by information shared by the Dutch police who responded to a ransomware attack on a Dutch multinational, followed by data-theft extortion.

The man was arrested on April 18, 2024, as part of the 'Operation Endgame' law enforcement operation that took down various botnets and their main operators.

As the Conti ransomware group used some of those botnets for initial access on breached endpoints, evidence led investigators to the Russian hacker.

The Ukrainian police reported that the arrested individual was a specialist in developing custom crypters for packing the ransomware payloads into what appeared as safe files, making them FUD (fully undetectable) to evade detection by the popular antivirus products.

The police found that the man was selling his crypting services to both the Conti and LockBit cybercrime syndicates, helping them significantly increase their chances of success on breached networks.

The Dutch police confirmed at least one case of the arrested individual orchestrating a ransomware attack in 2021, using a Conti payload, so he also operated as an affiliate for maximum profit.

"As part of the pre-trial investigation, police, together with patrol officers of the special unit "TacTeam" of the TOR DPP battalion, conducted a search in Kyiv," reads the Ukraine police announcement.

"Additionally, at the international request of law enforcement agencies in the Netherlands, a search was conducted in the Kharkiv region."

As a result of these searches, computer equipment, mobile phones, and handwritten notes were seized for further examination.

The investigation into the programmer's activities and precise involvement in the Conti and LockBit attacks is currently underway.

The suspect has already been charged with Part 5 of Article 361 of the Criminal Code of Ukraine (Unauthorized interference in the work of information, electronic communication, information and communication systems, electronic communication networks) and faces up to 15 years imprisonment.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Outlook personal email accounts will need more than just usernames and passwords Sept. 16

Tue, 11 Jun 2024 21:23:03 +0000

Microsoft has announced some major changes for people who use personal accounts to sign into their Outlook email accounts. Starting on September 16, Outlook personal accounts will no longer support signing into them with what the company calls Basic Authentication, which is the old-fashioned user name and password method.

In a blog post, Microsoft says on that date, Outlook users including people who still get their emails via Hotmail.com and Live.com must now access their accounts on either a supported mail or calendar app, or use the Outlook.com website. These all use what the company calls Modern Authentication methods. Other apps such as the current Outlook apps for Windows, Mac, iOS, and Android, along with Apple Mail and Thunderbird also support Modern Authentication.

In the post, Microsoft says:

While Basic Auth was the standard for quite some time, it also made it easier for bad actors to capture a person’s login information. This increased the risk of those stolen credentials being reused to gain access to a person’s email or personal data. Email-based cyberattacks have only increased with time, so we are requiring modern authentication for all Outlook customers to better help protect their personal accounts.

The blog also described how Modern Authentication methods make signing into Outlook person email accounts safer:

With Modern Authentication methods we apply additional backend process/tokens that users may not notice that add an extra layer of security. Anyone who is attempting to use an application which does not support modern authentication will no longer be able to access their Outlook.com, Hotmail or Live.com email from those applications.

Microsoft will also shut down the lite version of the Outlook web app, which could be accessed via older web browsers, on August 19, 2024. It also reminded users that it plans to end support for the old Windows Mail and Calendar apps by the end of this year.

In addition, Microsoft will end support for accessing Google Gmail accounts in Outlook.com very soon, by June 30. Gmail accounts can still be accessed via the Outlook Windows and Mac apps. Finally, Outlook mobile users will no longer be able to use the voice command features Play My Emails and Voice Search at the end of June.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Ransomware gangs are adopting “more brutal” tactics amid crackdowns

Tue, 11 Jun 2024 21:20:40 +0000

Researchers fear real-world violence as law enforcement plays Whac-A-Mole with gangs.

Today, people around the world will head to school, doctor’s appointments, and pharmacies, only to be told, “Sorry, our computer systems are down.” The frequent culprit is a cybercrime gang operating on the other side of the world, demanding payment for system access or the safe return of stolen data.

The ransomware epidemic shows no signs of slowing down in 2024—despite increasing police crackdowns—and experts worry that it could soon enter a more violent phase.

“We’re definitely not winning the fight against ransomware right now,” Allan Liska, a threat intelligence analyst at Recorded Future, tells WIRED.

Ransomware may be the defining cybercrime of the past decade, with criminals targeting a wide range of victims including hospitals, schools, and governments. The attackers encrypt critical data, bringing the victim’s operation to a grinding halt, and then extort them with the threat of releasing sensitive information. These attacks have had serious consequences. In 2021, the Colonial Pipeline Company was targeted by ransomware, forcing the company to pause fuel delivery and spurring US president Joe Biden to implement emergency measures to meet demand. But ransomware attacks are a daily event around the world—last week, ransomware hit hospitals in the UK—and many of them don’t make headlines.

“There is a visibility problem into incidents; most organizations don't disclose or report them,” says Brett Callow, a threat analyst at Emsisoft. He adds that this makes it “hard to ascertain which way they are trending” on a month-by-month basis.

Researchers are forced to rely on information from public institutions that disclose attacks, or even criminals themselves. But “criminals are lying bastards,” says Liska.

By all indications, the problem is not going away and may even be accelerating in 2024. According to a recent report by security firm Mandiant, a Google subsidiary, 2023 was a record-breaking year for ransomware. Reporting indicates that victims paid more than $1 billion to gangs—and those are just the payments that we know about.

A major trend identified in the report was more frequent posts by gangs to so-called “shame sites,” where attackers leak data as part of an extortion attempt. There was a 75 percent jump in posts to data leak sites in 2023 compared to 2022, according to Mandiant. These sites employ flashy tactics like countdowns to when the sensitive data of victims will be made public if they don’t pay. This illustrates how ransomware gangs are ramping up the severity of their intimidation tactics, experts told WIRED.

“Generally speaking, their tactics are becoming progressively more brutal,” Callow says.

For example, hackers have also begun to directly threaten victims with intimidating phone calls or emails. In 2023, the Fred Hutchinson Cancer Center in Seattle was struck by a ransomware attack, and cancer patients were individually sent emails threatening to release their personal information if they did not pay.

“My concern is that this will spill over into real-world violence very soon,” says Callow. “When there are millions to be had, they might do something bad to an executive of a company that was refusing to pay, or a member of their family.”

While there hasn’t yet been a reported instance of violence resulting from a ransomware attack, gangs have used the threat as a tactic. “We’ve seen in negotiations that have been leaked that they’ve hinted that they might do something like that, saying, ‘We know where your CEO lives,’” Liska says.

Speaking of criminals’ callous approach to life and death, it’s worth noting that researchers estimate that, between 2016 and 2021, ransomware attacks have killed between 42 and 67 Medicare patients due to targeting hospitals and delaying life-saving treatments.

Liska notes that ransomware gangs don’t operate in a vacuum. Their membership overlaps with entities like “the Comm,” a loose global network of criminals who organize online and offer violence-as-a-service in addition to more traditional cybercrime like SIM swapping. Comm members advertise their willingness to beat people, shoot at homes, and post grisly videos purporting to depict acts of torture. Last year, 404 Media reported that Comm members are working directly with ransomware groups like AlphV, a notorious entity that assisted with a high-profile hack of MGM Casinos before the FBI disrupted its operations by developing a decryption tool and seizing several websites—only to return months later with an attack on Change Healthcare that disrupted medical services around the US.

“It makes me very concerned,” Liska says of the link between ransomware gangs and violent cybercriminals.

Law enforcement has seen some recent success in disrupting, if not completely eradicating, ransomware groups. In February, an international collaboration dubbed Operation Cronos disrupted the prolific LockBit ransomware operationby seizing its websites and offering free decryption to victims. Officials also arrested two alleged affiliates of the group who were based in Ukraine and Poland.

It’s been difficult to make a dent in the volume of ransomware attacks in part because ransomware gangs—which work almost like startups, sometimes offering a subscription service and 24/7 support for their software while they recruit affiliates that carry out attacks—are frequently based in Russia. This has prompted Western law enforcement to turn gangs’ own intimidation tactics and psychological games against them.

For example, Operation Cronos used a countdown timer in the style of a ransomware shame site to reveal the identity of LockBit’s alleged boss, 31-year-old Russian national Dmitry Khoroshev. He was also charged in a 26-count indictment by US prosecutors, and sanctioned. Since Khoroshev is apparently in Russia, he’s unlikely to be arrested unless he leaves the country. But revealing his identity can still have the effect of further disrupting his ransomware operation by eroding affiliates’ trust in him and putting a target on his back.

“There are a lot of people who will be interested in trying to get their hands on some of his money,” says Callow. “There will be people who would be willing to bash him on the head and drag him across the border to a country from which he can be extradited.” Affiliates may also be concerned about the possibility of his arrest if he voluntarily leaves Russia.

“Law enforcement is adapting to let them know that they are vulnerable,” Liska says.

Another obstacle to reining in ransomware is the Hydra-esque nature of affiliates. After the LockBit disruption, analysts saw 10 new ransomware sites pop up almost immediately. “That is more than we’ve seen in a 30-day period at any point,” says Liska.

Law enforcement is adapting to this reality, too. In May, an international collaboration called Operation Endgame announced that it had successfully disrupted multiple operations distributing malware “droppers.” Droppers are an important part of the cybercrime ecosystem as they allow hackers to deliver ransomware or other malicious code undetected. Operation Endgame resulted in four arrests in Armenia and Ukraine, took down more than 100 servers, and seized thousands of domains. Endgame employed psychological tactics similar to Operation Cronos, like a countdown to flashy videos containing Russian text and encouraging criminals to “think about (y)our next move.”

While the scale of the ransomware problem may seem difficult to get a handle on, both Liska and Callow say it’s not impossible. Callow says that a ban on payment to ransomware gangs would make the biggest difference. Liska was less enthusiastic about the prospects of a payment ban but suggested that law enforcement’s continuing actions could eventually make a real dent.

“We talk about whack-a-mole a lot when it comes to ransomware groups—you knock one down and another pops up,” says Liska. “But I think what these [law enforcement] operations are doing is they’re making the board smaller. So yes, you knock one down, and another one pops up. But you wind up with, hopefully, fewer and fewer of them popping up.”

This story originally appeared on wired.com.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Apple’s AI promise: “Your data is never stored or made accessible to Apple”

Tue, 11 Jun 2024 03:27:29 +0000

And publicly reviewable server code means experts can "verify this privacy promise."

With most large language models being run on remote, cloud-based server farms, some users have been reluctant to share personally identifiable and/or private data with AI companies. In its WWDC keynote today, Apple stressed that the new "Apple Intelligence" system it's integrating into its products will use a new "Private Cloud Compute" to ensure any data processed on its cloud servers is protected in a transparent and verifiable way.

"You should not have to hand over all the details of your life to be warehoused and analyzed in someone's AI cloud," Apple Senior VP of Software Engineering Craig Federighi said.

Trust, but verify

Part of what Apple calls "a brand new standard for privacy and AI" is achieved through on-device processing. Federighi said "many" of Apple's generative AI models can run entirely on a device powered by an A17+ or M-series chips, eliminating the risk of sending your personal data to a remote server.

When a bigger, cloud-based model is needed to fulfill a generative AI request, though, Federighi stressed that it will "run on servers we've created especially using Apple silicon," which allows for the use of security tools built into the Swift programming language. The Apple Intelligence system "sends only the data that's relevant to completing your task" to those servers, Federighi said, rather than giving blanket access to the entirety of the contextual information the device has access to.

And Apple says that minimized data is not going to be saved for future server access or used to further train Apple's server-based models, either. "Your data is never stored or made accessible to Apple," Federighi said. "It's used exclusively to fill your request."

But you don't just have to trust Apple on this score, Federighi claimed. That's because the server code used by Private Cloud Compute will be publicly accessible, meaning that "independent experts can inspect the code that runs on these servers to verify this privacy promise." The entire system has been set up cryptographically so that Apple devices "will refuse to talk to a server unless its software has been publicly logged for inspection."

While the keynote speech was light on details for the moment, the focus on privacy during the presentation shows that Apple is at least prioritizing security concerns in its messaging as it wades into the generative AI space for the first time. We'll see what security experts have to say when these servers and their code are made publicly available in the near future.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Google is ready to fill free streaming TV channels with ads

Tue, 11 Jun 2024 03:26:28 +0000

Advertisers can plug into Google TV device ad spots, where a growing number of viewers are watching free streaming channels.

Google is launching a new advertising network that serves targeted ads to Google TV-powered streaming boxes and smart TVs. The ads service, known as the Google TV network, lets advertisers place unskippable in-stream ad spots across more than 125 live channels — many that are FAST, or free ad-supported streaming TV channels that Google’s been hell-bent on getting users to notice.

Google says there are 20 million monthly active Google TV and Android TV OS devices, a significant figure for advertisers to consider. The reach can go even further when including YouTube, which reaches over 150 million monthly active viewers in the living room. Google Ads and Google Display & Video 360 users can expand their campaigns to include the Google TV network by checking a new box under YouTube & Google. Google Ads can spread across networks on Google TV, and include Google-owned ad inventory in third-party apps.

According to Google, viewers of Google TV’s free channels watch on average 75 minutes per day. FAST channels are growing fast since it’s the closest thing to paid cable service without the bill, and while the content is mostly reruns, sometimes people just want that old-school background noise — a perfect place for ads.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

78% of people use the same password across multiple accounts

Mon, 10 Jun 2024 13:25:21 +0000

A new report from Forbes Advisor reveals current password security trends by surveying 2,000 individuals. Notable trends include password reuse and frequent password changes due to security breaches. Other password trends noted in the report include:

78% of individuals use the same password for more than one account. 52% use it for at least three accounts, and 4% use it on at least 11.
30% of individuals use password managers.
22% of Americans do not use any safety measures to secure passwords.

The report also uncovered which accounts are most likely to be a target for password hacking. These include:

Social media accounts (29%)
Email accounts (15%)
Home Wi-Fi (9%)
Shopping accounts (8%)
Streaming platforms (7%)

According to the survey respondents, the most common reason their passwords were hacked was due to a weak password (35%). This is followed by repeatedly using passwords (30%), company data breaches (27%) and phishing (21%). 17% stated that they were unsure of how their password was hacked.

Source

London Hospitals Seek Biologics Backup After Ransomware Hit

Mon, 10 Jun 2024 13:19:36 +0000

Last week's ransomware attack on a British pathology services vendor has disrupted multiple London hospitals' ability to match patients' blood with available stocks.

As a result, England's National Health Service has issued an urgent appeal for O positive and O negative blood donors to book appointments in the coming weeks, as officials seek a workaround.

"For surgeries and procedures requiring blood to take place, hospitals need to use O type blood as this is safe to use for all patients and blood has a shelf life of 35 days, so stocks need to be continually replenished," said NHS Blood and Transplant.

"That means more units of these types of blood than usual will be required over the coming weeks to support the wider efforts of frontline staff to keep services running safely for local patients," it said.

The appeal follows a June 3 ransomware attack against Synnovis, a pathology services vendor that operates as a partnership between two London-based hospital trusts and Munich-based SYNLAB, which is one of Europe's leading providers of laboratory diagnostic services (see: Qilin RaaS Group Believed to Be Behind Synnovis, NHS Attack).

The attack has delayed organ transplants, elective surgeries and other procedures due in part to the fact that hospitals relying on Synnovis' services "cannot currently match patients' blood at the same frequency as usual," the NHS said.

Lacking a system-level solution to the problem, officials' plan B has been a biologics approach. Instead of attempting to match patients' blood type with available stocks, they instead want to use O type blood, known as the universal blood type, whenever possible.

"Patient safety is our absolute priority. When hospitals do not know a patient's blood type or cannot match their blood, it is safe to use O type blood," said Dr. Gail Miflin, chief medical officer at NHS Blood and Transplant.

Officials said they're seeking to fill 13,000 O type blood donor slots, including 3,400 in London alone, just this week, and that the need for more such donations will continue for the foreseeable future.

O positive type blood can be given to anyone with a positive blood type, and O negative to anyone with a negative blood type.

The NHS said O positive is the world's most common blood type, with 35% of donors having it, and 76% of the population being able to use it. By contrast, 8% of the population in England has type O negative blood, and requests for that type of blood normally comprise 15% of hospital orders.

One potential complication is that O type blood is essential for emergency care, and carried by air ambulances and emergency response vehicles when responding to serious emergencies. Any shortfall in O type blood supplies could lead to further canceled appointments or surgeries, or potentially having to triage its availability for emergency responders.

"A number of operations and appointments have been postponed or diverted to other neighboring hospitals not impacted by the cyberattack, as we prioritize pathology services for the most clinically urgent cases," said Stephen Powis, NHS England's medical director.

"To help London staff support and treat more patients, they need access to O negative and O positive blood, so if one of these is your blood type, please come forward to one of the 13,000 appointments currently available in NHS Blood Donor Centers," he said.

Numerous non-urgent surgeries and inpatient admissions have been canceled at London's King's College Hospital, Royal Brompton Hospital - the U.K.'s largest specialist heart and lung medical center - as well as Evelina London Children's Hospital, and disrupted primary care across southeast London.

"Pathology services at the impacted sites are available - albeit at a reduced capacity - with the most urgent cases being prioritized," Chris Streather, the medical director for NHS England London, said Wednesday. "Unfortunately, some non-urgent operations and procedures including transplants continue to be postponed, while nearly all non-urgent blood tests have been postponed in primary care services in southeast London."

NHS England said its cybersecurity incident response team continues to respond to this incident. "At present the full extent of the attack, as well as the impact upon data, is not known," it said.

The attack against Synnovis is the latest in a long line of extortion-driven attacks attributed to Russian-speaking ransomware groups. They continue to operate with impunity - provided they never attack Russia or its allies - as often they crypto-lock a victim's systems and demand a ransom in return for a decryption key or promise to not leak stolen data (see: Yet More Evidence Highlights Ransomware Groups' Banner Year).

This latest attack on the NHS already stands as "one of the most unpleasant and impactful cyber incidents in the U.K. in recent years," cybersecurity expert Ciaran Martin, who formerly headed Britain's National Cyber Security Centre, told the Times of London.

Source

Christie’s Says Ransomware Attack Impacts 45,000 People

Mon, 10 Jun 2024 13:09:54 +0000

Auction house Christie’s says the data breach caused by the recent ransomware attack impacts the information of 45,000 individuals.

According to information submitted by the company to the Maine Attorney General, the intrusion was discovered on May 9. An investigation showed that the attackers managed to steal some files containing personal information.

Impacted individuals are being notified. The notification letter sample submitted by Christie’s to the Maine AG does not specify what type of data was compromised besides names, driver’s license numbers, and non-driver identification card numbers.

Impacted individuals are being offered identity theft and fraud monitoring services for 12 months, which suggests sensitive personal information was stolen by the hackers.

The RansomHub ransomware group has taken credit for the attack, claiming to have stolen information such as name, birth date, address, and data from identification documents.

The hackers claimed to have stolen information belonging to at least 500,000 Christie’s clients from around the world, but it’s not uncommon for ransomware groups to exaggerate their claims.

On their leak website, the cybercriminals claimed to have sold the data stolen from the auction house. However, Emsisoft threat analyst and ransomware expert Brett Callow has questioned their claims, saying that they likely don’t want to admit not being able to monetize the attack.

Broadcom’s Symantec reported last week that its researchers had found evidence suggesting that the RansomHub ransomware-as-a-service is “very likely an updated and rebranded version of the older Knight ransomware”.

However, Symantec said it’s unlikely that the creators of Knight are also operating RansomHub, noting that the Knight source code was put up for sale in February 2024 after its developers decided to shut down the operation.

Source

Microsoft to help rural hospitals defend against rising cybersecurity attacks

Mon, 10 Jun 2024 13:05:02 +0000

REDMOND, Wash., June 10, 2024 /PRNewswire/ -- On Monday, Microsoft Corp. announced a new cybersecurity program to support hospitals serving more than 60 million people living in rural America. In 2023, the health care sector reported more ransomware attacks than any other critical infrastructure sector, and attacks involving ransomware against the healthcare sector were up nearly 130%.

Cybersecurity attacks disrupt health care operations across the country and pose a direct threat to patient care and essential operations of hospitals. In rural communities these attacks can be devastating, particularly to smaller, independent Critical Access and Rural Emergency hospitals with limited means to prevent and remediate security risks and often the only healthcare option for many miles in the communities they serve.

According to the National Rural Health Association, rural health clinics are one of the top targets for cyberattacks. The new Microsoft Cybersecurity Program for Rural Hospitals is designed to support the unique cybersecurity needs of these organizations and will deliver free and low-cost technology services for these hospitals, along with free training and support.

"Healthcare should be available no matter where you call home, and the rise in cyberattacks threatens the viability of rural hospitals and impact communities across the U.S.," said Justin Spelhaug, corporate vice president, Microsoft Philanthropies. "Microsoft is committed to delivering vital technology security and support at a time when these rural hospitals need them most."

For independent Critical Access Hospitals and Rural Emergency Hospitals, Microsoft will provide nonprofit pricing and discounts for its security products optimized for smaller organizations, providing up to a 75% discount. And for some larger rural hospitals already using eligible Microsoft solutions, the company will be providing its most advanced security suite at no cost for one year. As part of the new program, the company is also providing Windows 10 security updates to participating rural hospitals for at least one year at no additional cost. Microsoft will also provide free cybersecurity assessments through Microsoft and its trusted partners to evaluate risks and gaps and offer free cybersecurity training to staff in rural hospitals to help them better manage the day-to-day security of their systems.

Today's news was announced in close collaboration with The White House, the American Hospital Association and the National Rural Health Association. Microsoft will work with all three institutions on the rollout, adoption and effectiveness of the program.

"Cyber-attacks against the U.S. healthcare systems rose 130% in 2023, forcing hospitals to cancel procedures and impacting Americans' access to critical care. Rural hospitals are particularly hard hit as they are often the sole source of care for the communities they serve and lack trained cyber staff and modern cyber defenses. President Biden is committed to every American having access to the care they need, and effective cybersecurity is a part of that. So, we're excited to work with Microsoft to launch cybersecurity programs that will provide training, advice and technology to help America's rural hospitals be safe online" said Anne Neuberger, Deputy National Security Advisory for Cyber and Emerging Technologies.

Today's announcement is one part of Microsoft's work in communities across the United States and around the world to improve healthcare for those living in rural areas. Through the AI for Health program, Microsoft is working with nonprofits, researchers and organizations working on global health challenges to make advances in telemedicine and improve clinical decision- making and prediction. Microsoft is also working with rural hospital leaders to rapidly bring AI solutions to market to meet their unique needs.

"Hospitals and health systems have invested significant resources to guard against cyberattacks, but they can't do it alone. Cybersecurity is a shared responsibility, and these investments from Microsoft help reinforce that," said Rick Pollack, president and CEO, the American Hospital Association. "Rural hospitals are often the primary source of healthcare in their communities, so keeping them open and safe from cyberattacks is critical. We appreciate Microsoft stepping forward to offer its expertise and resources to help secure part of America's healthcare safety net."

"Rural hospitals face a unique challenge in cybersecurity, balancing limited resources with the increasing sophistication of cyberthreats, which puts patient data and critical healthcare infrastructure at risk," said Alan Morgan, chief executive officer of NRHA. "This important partnership with Microsoft will help ensure that rural hospitals are prepared in the future to meet this rising threat in small rural facilities."

In addition to the security program for rural hospitals, Microsoft is working with community colleges to deliver the Cybersecurity Skills Initiative and through the TechSpark program to drive technology and cybersecurity job creation in partnership with local organizations.

Through the Microsoft Airband initiative, the company collaborates with public, private and nonprofit organizations to bring high-speed internet access to rural communities across America and build the digital infrastructure required for internet access and adoption.

The Microsoft Cybersecurity Program for Rural Hospitals in the United States is immediately available. To learn more and register for the program, please visit https://aka.ms/Microsoft_Security_Rural_Hospitals.

Microsoft (Nasdaq "MSFT" @microsoft) creates platforms and tools powered by AI to deliver innovative solutions that meet the evolving needs of our customers. The technology company is committed to making AI available broadly and doing so responsibly, with a mission to empower every person and every organization on the planet to achieve more.

Source

Azure Service Tags Vulnerability: Microsoft Warns of Potential Abuse by Hackers

Mon, 10 Jun 2024 12:46:11 +0000

Microsoft is warning about the potential abuse of Azure Service Tags by malicious actors to forge requests from a trusted service and get around firewall rules, thereby allowing them to gain unauthorized access to cloud resources.

"This case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic," the Microsoft Security Response Center (MSRC) said in a guidance issued last week.

"Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls. Service tags are not a comprehensive way to secure traffic to a customer's origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests."

The statement comes in response to findings from cybersecurity firm Tenable, which found that Azure customers whose firewall rules rely on Azure Service Tags could be bypassed. There is no evidence that the feature has been exploited in the wild.

The problem, at its core, stems from the fact that some of the Azure services allow inbound traffic via a service tag, potentially allowing an attacker in one tenant to send specially crafted web requests to access resources in another, assuming it has been configured to allow traffic from the service tag and does not perform any authentication of its own.

At 10 Azure services have been found vulnerable: Azure Application Insights, Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer, and Azure Chaos Studio.

"This vulnerability enables an attacker to control server-side requests, thus impersonating trusted Azure services," Tenable researcher Liv Matan said. "This enables the attacker to bypass network controls based on Service Tags, which are often used to prevent public access to Azure customers' internal assets, data, and services."

In response to the disclosure in late January 2024, Microsoft has updated the documentation to explicitly note that "Service Tags alone aren't sufficient to secure traffic without considering the nature of the service and the traffic it sends."

It's also recommended that customers review their use of service tags and ensure they have adopted adequate security guardrails to authenticate only trusted network traffic for service tags.

Source

New York Times source code stolen using exposed GitHub token

Sat, 08 Jun 2024 18:36:55 +0000

Internal source code and data belonging to The New York Times was leaked on the 4chan message board after being stolen from the company's GitHub repositories in January 2024, The Times confirmed to BleepingComputer.

As first seen by VX-Underground, the internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273GB archive containing the stolen data.

"Basically all source code belonging to The New York Times Company, 270GB," reads the 4chan forum post.

"There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar."

Leak of New York Times source code on 4chan

Source: BleepingComputer

While BleepingComputer did not download the archive, the threat actor shared a text file containing a complete list of the 6,223 folders stolen from the company's GitHub repository.

The folder names indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle game.

A 'readme' file in the archive states that the threat actor used an exposed GitHub token to access the company's repositories and steal the data.

In a statement to BleepingComputer, The Times said the breach occurred in January 2024 after credentials for a cloud-based third-party code platform were exposed. A subsequent email confirmed this code platform was GitHub.

"The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity."

❖ The New York Times

The company said that the breach of its GitHub account did not affect its internal corporate systems and had no impact on its operations.

The Times leak is the second one published to 4chan this week, with the first being a leak of 415MB of stolen internal documents for Disney's Club Penguin game.

Sources exclusively told BleepingComputer that the Club Penguin leak was part of a more significant breach of Disney's Confluence server, where the threat actors stole 2.5 GB of internal corporate data.

It is not known if it was the same person who conducted the New York Times and Disney breaches.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

London hospitals cancel cancer surgeries after cyber-attack

Sat, 08 Jun 2024 13:42:13 +0000

Hospitals in London have had to cancel cancer operations this week because of a Russian cyber-attack that continues to cause serious disruption to NHS services in the capital.

St Thomas’ and King’s College hospitals have postponed procedures that their surgeons were due to perform on cancer patients since the attack began last Monday, the Guardian can reveal.

They have been forced to take the step because the hack meant they would not have been able to provide a blood transfusion for any patient who needed one.

Russian hackers, thought to be the Qilin group, launched a ransomware attack on Synnovis, which supplies blood tests to St Thomas’, King’s and other hospitals in south-east London.

One senior NHS manager told the Health Service Journal (HSJ) that the attack, one of the biggest to hit the service, was “everyone’s worst nightmare”.

NHS England has released few details of the impact of the cyber-attack, despite the fact that it continues to cause major disruption for six NHS trusts and dozens of GP practices in south-east London that between them provide care to about 2 million people.

It refused on Friday to say how many operations, including cancer and transplant surgeries, had been put off this week as a result of the attack. Officials maintained that they did not have figures for the number of operations affected, even though managers in the hospitals involved have had to explain to patients why their procedures have been delayed.

A spokesperson for NHS England’s London region, which is coordinating the response to the attack, said: “Pathology services are integral to a wide range of treatments and we know that a number of operations and appointments have been cancelled due to this attack.

“We are still working with hospitals and local GP services to fully assess the disruption, and ensure the data is accurate. In the meantime our advice to patients remains, if you have not been contacted please do continue to attend your appointments.”

Dr Chris Streather, the medical director for NHS England’s London region, said : “We are sorry to all those who have been impacted and staff will work hard to re-arrange appointments and treatments as quickly as possible.”

The same statement disclosed for the first time that no fewer than six NHS trusts – four more than NHS England initially reported – had been affected. They include the South London and Maudsley and Oxleas mental health trusts, Lewisham and Greenwich acute trust and Bromley community services trust, as well as the very large acute trusts that run King’s and St Thomas’.

The lack of transparency is causing unease among staff affected by the cyber-attack, which the HSJ reported was likely to keep causing problems for “weeks, not days”.

Source