Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Black hat. Show all posts
Seattle Port
Black hat CISA Cyber Crime Cyberattacks CyberCrime Cybersecurity FBI Medical Breach Ransomware Rhysida Ransomware Seattle Port

Rhysida Ransomware Hits Seattle Port in August Attack

 


As part of its investigation, the Port of Seattle, which operates Seattle-Tacoma International Airport in the city, has determined that the Rhysida ransomware gang is responsible for the cyberattack that allowed it to reach its systems last month, causing travel delays for travellers. There has been a ransomware attack targeting the Port of Seattle as early as Friday, the Port announced in a statement. 

As a result of the attack, which happened on August 24, the Port (which is also responsible for operating Seattle-Tacoma International Airport) announced that "certain system outages have indicated a possibility of a cyberattack." It is important to note that the SEA Airport and its associated facilities remained open after the storm, but passenger displays, Wi-Fi, check-in kiosks, ticketing, baggage, and reserved parking were impacted, as well as the flySEA application and the Port website.

According to a press release that was released on September 13, the Port reported that most of the affected systems had been restored within a week of the attack taking place. As of yet, the Port of Dusseldorf has not been able to relaunch the external website or the internal portals that were offline after securing the impacted systems and finding no signs of additional malicious activity. 

As far as Port systems were concerned, this incident was a "ransomware" attack by Rhysida, a criminal organization that specializes in cybercrime. Since that day, no new unauthorized activity has been conducted on those systems. In a press release, they stressed that it was safe to fly to Seattle-Tacoma International Airport and use the port's maritime facilities. 

During this time, the Port's decision to take systems offline was accompanied by the ransomware gang's encryption of the ones that were not isolated in time, resulting in a series of outages impacting a variety of services and systems, including baggage, check-in kiosks, ticketing, wireless Internet, passenger display boards, the Port of Seattle website, flySEA app, and reservations. 

A ransomware attack believed to have been launched by the Rhysida hacker group can be blamed for encrypting some of the data on the Port's computer systems using the ransomware. It was the result of this encryption and the Port's response to isolate the impacted systems as soon as possible that there were delays at the Sea-Tac Airport with baggage services, check-in kiosks, ticketing, Wi-Fi, displays, the Port's website and the flySEA app having issues. 

The majority of these issues have since been resolved; however, the airport's website and internal portals remain down as of this writing, as stated in an update posted by the Port of Los Angeles. In the wake of the cyber attack at the airport, the Port of Los Angeles is still unsure exactly how much or what kind of data was taken by the attackers, but the Port cannot afford to pay the ransom demand. There are no details about what kind of data have been compromised in the attack; however, the data may likely be of great value due to the sector of the business in which the agency operates. 

There is also another reason that the Port of Seattle is such a hotbed of automation and machine learning technologies, which means it's a goldmine for attackers in terms of data. In the world of ransomware, Rhysida is one of the more well-known gangs, especially for the way they target organizations that run critical systems for which downtime is not an option. 

A hacker group known as the Black Hat Network has in the past targeted healthcare organizations such as the Lurie Children's Hospital and Prospect Medical Holdings as targets. As of May 2024, the number of patients affected by this massive data breach had increased from a few hundred to nearly a million. The company claimed that the Singing River ransomware attack occurred in September 2023.

In addition to educational institutions and the manufacturing industry, the HHS Health Sector Cybersecurity Coordination Center has also reported that the group has targeted the Chilean army, as well as universities and hospitals, according to the report. Health and Human Services (HHS) in the United States has implicated Rhysida in an attack against healthcare organizations in the country. 

As CISA and the FBI made their warnings at the same time, different industries and sectors of society were being targeted by opportunistic attacks by this cybercrime gang at the same time. In November, Rhysida ransomware operators successfully breached Insomniac Games, a subsidiary of Sony, and subsequently leaked 1.67 TB of confidential documents on the dark web. This occurred after the game development studio declined to meet the group’s demand for a $2 million ransom. 

Rhysida's affiliates have also been involved in attacks on several other high-profile organizations. The City of Columbus, Ohio, MarineMax (the world's largest retailer of recreational boats and yachts), and the Singing River Health System have all fallen victim to this ransomware group. In particular, Singing River Health System reported that almost 900,000 individuals were notified of a data breach resulting from an August 2023 ransomware attack, in which sensitive personal information was compromised.
Read more »
Software
Black hat CrowdStrike Cyber Security Global IT Outage Software

CrowdStrike's Recovery Efforts in Focus After Global IT Outage


 

On July 19, cybersecurity leader CrowdStrike found itself at the centre of a crisis after a faulty software update caused a widespread IT outage, affecting millions of computers worldwide. The aftermath of this incident was evident at the Black Hat cybersecurity conference in Las Vegas, where CrowdStrike had a contributing presence. The company, known for its expertise in stopping cyber threats, faced the challenge of reassuring its customers and partners while dealing with the repercussions of the outage.

CrowdStrike's Response to the Crisis

In the weeks following the outage, CrowdStrike provided regular updates on its investigation into the issue. As part of its apology to affected partners, the company distributed $10 Uber Eats gift cards, though this gesture quickly backfired. Many recipients found their gift cards flagged as fraudulent due to high usage rates, exacerbating the company's already strained relationship with some partners.

Despite the challenges, CrowdStrike maintained a strong presence at the Black Hat conference, where it showcased its products and engaged with attendees. The company's booth, one of the largest at the event, drew attention, not just for the promotional items like T-shirts and action figures but also for the opportunity to discuss the incident with CrowdStrike representatives.

The response from cybersecurity professionals at Black Hat was mixed. Some attendees remained loyal to CrowdStrike, viewing the outage as an unfortunate but not defining moment for the company. A U.S. government employee who uses CrowdStrike regularly expressed confidence in the company's ability to maintain its position as a leading cybersecurity provider. Similarly, a security engineer noted that while his company was affected by the outage, CrowdStrike's prompt and effective remediation efforts helped restore normal operations within a day.

However, not all feedback was positive. Some attendees voiced concerns about the reliability of CrowdStrike's services following the incident. Seth Faeder, an engineer at ClearChoice Dental Implants Centers, noted that while his company wasn't directly impacted, he had to assist in restoring affected systems for his parent company, which uses CrowdStrike. This experience led him to suggest exploring alternatives like Sophos.

Another cybersecurity professional emphasised the importance of having backup plans in place, stating that while it might be difficult to move away from CrowdStrike entirely, the outage is an indicator of the risks involved in relying too heavily on a single provider.

CrowdStrike's Efforts to Rebuild Trust

Throughout the conference, CrowdStrike sought to reassure attendees of its commitment to resilience and customer support. The action figures distributed at the booth came with a message acknowledging the outage and emphasising the company's dedication to preventing similar incidents in the future. This message was also prominently displayed on screens throughout the conference venue, reinforcing CrowdStrike's focus on transparency and accountability.

Kevin Benacci, CrowdStrike's senior director of corporate communications, highlighted that the company's presence at Black Hat was not just about addressing the incident but also about expressing gratitude to the cybersecurity community for its continued support. Technical experts were on hand to discuss the incident in detail and provide insights into the company's response.

Despite the challenges posed by the outage, CrowdStrike's booth remained busy throughout the conference, suggesting that the company's reputation, while damaged, may not be beyond repair. The resilience and loyalty of some cybersecurity professionals indicate that CrowdStrike still holds a crucial place in the industry.

However, the incident has sparked a broader discussion about the reliability of cybersecurity tools and the need for contingency planning. As the industry reflects on the lessons learned from CrowdStrike's outage, the focus will likely shift to ensuring that even the most trusted systems are equipped to handle unforeseen challenges.


Read more »
Vulnerabilities and Exploits
Black hat Copilot Threat Management User Security Vulnerabilities and Exploits

Researchers Demonstrate How Attackers Can Exploit Microsoft Copilot

 

Security researcher Michael Bargury revealed serious flaws in Microsoft Copilot during the recent Black Hat USA conference, demonstrating how hackers might be able to use this AI-powered tool for malicious purposes. This revelation highlights the urgent need for organisations to rethink their security procedures when implementing AI technology such as Microsoft Copilot. 

Bargury's presentation highlighted numerous ways in which hackers could use Microsoft Copilot to carry out cyberattacks. One of the most significant findings was the use of Copilot plugins to install backdoors in other users' interactions, allowing data theft and AI-driven social engineering attacks.

Hackers can use Copilot's capabilities to discreetly search for and retrieve sensitive data, bypassing standard security measures that focus on file and data protection. This is accomplished via modifying Copilot's behaviour using prompt injections, which alter the AI's responses to fit the hacker's goals. 

One of the most concerning parts of this issue is its ability to enable AI-powered social engineering attacks. Hackers can utilise Copilot to generate convincing phishing emails or change discussions to trick victims into disclosing sensitive information. This capability emphasises the importance of robust safety protocols in combating cybercriminals' sophisticated techniques.

To demonstrate these flaws, Bargury created a red-teaming program called "LOLCopilot." This tool allows ethical hackers to simulate attacks and better understand the possible vulnerabilities posed by Copilot. LOLCopilot runs on any Microsoft 365 Copilot-enabled tenant with default configurations, allowing ethical hackers to investigate how Copilot might be abused for data exfiltration and phishing attacks while leaving no traces in system logs. 

The demonstration at Black Hat showed that Microsoft Copilot's default security settings are insufficient to avoid such vulnerabilities. The tool's ability to access and handle enormous amounts of data carries significant risk, especially if permissions are not properly updated. To mitigate these threats, organisations should establish robust security policies such as frequent security assessments, multi-factor authentication, and strict role-based access limits.

Furthermore, organisations must educate their staff on the risks associated with AI tools such as Copilot and have extensive incident response policies. Companies can better protect themselves from the misuse of AI technologies by strengthening security procedures and developing a safety-conscious culture.
Read more »
Security Flaws
Black hat Cyber Hacking Cyber Security Data Leak data security Ransomware attack Security Flaws

Researcher Saves Six Companies from Ransomware by Exploiting Security Flaws in Ransomware Gangs’ Infrastructure

 

A security researcher has revealed that six companies were saved from potentially paying significant ransom demands due to security flaws found in the web infrastructure of the ransomware gangs targeting them. In a rare win for the victim organizations, two companies received decryption keys that allowed them to restore their data without paying a ransom, while four hacked cryptocurrency companies were alerted before the ransomware gang could begin encrypting their files.  

Stykas, a security researcher and chief technology officer at Atropos.ai, conducted a research project aimed at identifying the command and control servers behind more than 100 ransomware and extortion-focused groups and their data leak sites. His goal was to find vulnerabilities that could expose information about these gangs, including details about their victims. Stykas disclosed his findings to TechCrunch ahead of his presentation at the Black Hat security conference in Las Vegas. He identified several rookie security flaws in the web dashboards used by at least three ransomware gangs, which were sufficient to compromise the inner workings of their operations. 

Ransomware gangs typically conceal their identities and activities on the dark web, an anonymous section of the internet accessible through the Tor browser. This anonymity makes it difficult to trace the real-world servers used for cyberattacks and the storage of stolen data. However, coding errors and security vulnerabilities in the leak sites used by these gangs to extort victims by publishing stolen files allowed Stykas to access information about their operations without needing to log in. In some cases, the bugs exposed the IP addresses of the leak site’s servers, providing a way to trace their real-world locations. For instance, Stykas discovered that the Everest ransomware gang was using a default password to access its back-end SQL databases, exposing its file directories. 

Additionally, exposed API endpoints revealed the targets of the BlackCat ransomware gang’s attacks while they were still in progress. Stykas also identified an insecure direct object reference (IDOR) vulnerability, which he used to access and cycle through the chat messages of a Mallox ransomware administrator. Through this, he discovered two decryption keys that he shared with the affected companies. The researcher informed TechCrunch that the victims included two small businesses and four cryptocurrency companies, two of which were unicorns—startups with valuations exceeding $1 billion. However, he declined to name the companies involved. He also noted that none of the companies he notified have publicly disclosed the security incidents, though he did not rule out revealing their names in the future. 

The FBI and other government authorities have long advised victims of ransomware not to pay ransoms, as doing so only incentivizes cybercriminals. However, this advice often leaves companies with few options to regain access to their data or resume operations. Law enforcement agencies have occasionally succeeded in compromising ransomware gangs to obtain decryption keys and cut off their illegal revenue streams, though these efforts have had mixed results. 

Stykas’ research underscores that ransomware gangs can be vulnerable to the same basic security flaws that affect large companies. This presents a potential opportunity for law enforcement to target these criminal hackers, even when they operate outside of traditional jurisdictional reach.
Read more »
Websites
Black hat malware Online Security URL Websites

Cybercriminals Exploit Web Hosting Platforms to Spread Malware


 

Cybersecurity researchers at Zscaler ThreatLabz have uncovered a concerning trend in which cybercriminals are exploiting popular web hosting and blogging platforms to disseminate malware and steal sensitive data. This sophisticated tactic, known as SEO poisoning within the realm of Black Hat SEO techniques, has been employed to manipulate search engine results, pushing fraudulent websites to the forefront of users' search queries, thereby increasing the risk of unwittingly accessing malicious content.


How They Operate

The cybercriminals orchestrating these operations have devised intricate strategies to evade detection and entice unsuspecting users into downloading malware. They fabricate fraudulent websites spanning a wide array of topics, ranging from pirated software to culinary recipes, often hosted on well-established platforms such as Weebly. By adopting the guise of legitimate sites, complete with endorsements like "Powered by Weebly," they exploit users' trust in reputable services to perpetrate their malicious activities.


The process commences with cybercriminals setting up sham sites on web hosting services, adeptly avoiding detection by both hosting providers and users. When individuals search for relevant content and click on links from search results, they unknowingly find themselves on these malevolent sites. To circumvent scrutiny from security researchers, the perpetrators implement evasion techniques, including scrutinising referral URLs. Should a user access the site directly, indicating a potential analysis, the site tactfully sidesteps redirection to preserve its cloak of invisibility.


The Payload Delivery System

Malicious payloads are secretly delivered through multi-layered zipped files concealed within seemingly innocuous content. For instance, an individual seeking cracked software may inadvertently download malware instead of the anticipated content. Upon execution, the malware puts together a sequence of activities, encompassing process hollowing and DLL sideloading, aimed at downloading additional malware and establishing communication with command-and-control servers.


Tricks to Avoid Detection

To further complicate their activities, threat actors employ techniques, including string concatenation, mathematical manipulation, and the utilisation of password-protected ZIP archives. These tactics serve to confound security measures, rendering the malicious code arduous to decipher and bolstering the malware's ability to slightly pass over detection.


Data Theft and Deceptive Tactics

Once ensconced within a system, the malware embarks on an mission to harvest extensive troves of data, encompassing system information, browser data, credentials, and browsing history. Additionally, it sets its sights on emails pertaining to cryptocurrency exchanges, adeptly modifying email content and intercepting one-time authentication codes to facilitate unauthorised access.


How To Protect Yourself?

Keeping in mind such campaigns, users are advised to exercise utmost caution when procuring software from unfamiliar sources and to prioritise visiting reputable websites. Staying abreast of emerging cybersecurity threats and securing defences with robust protocols can substantially mitigate the risk of succumbing to potential infections.



Read more »
Vulnerabilities and Exploits
API Bug Black hat Code Execution Flaw PoC Exploit Code TrickBoot UEFI Bootkit UEFI Firmware Vulnerabilities and Exploits

LogoFAIL: UEFI Vulnerabilities Unveiled

The discovery of vulnerabilities is a sharp reminder of the ongoing conflict between innovation and malevolent intent in the ever-evolving field of cybersecurity. The tech community has been shaken by the recent discovery of LogoFAIL, a set of vulnerabilities hidden in the Unified Extensible Firmware Interface (UEFI) code that could allow malicious bootkit insertion through images during system boot.

Researchers have delved into the intricacies of LogoFAIL, shedding light on its implications and the far-reaching consequences of exploiting image parsing vulnerabilities in UEFI code. The vulnerability was aptly named 'LogoFAIL' due to its origin in the parsing of logos during the boot process. The severity of the issue is evident from the fact that it can be exploited to inject malicious code, potentially leading to the deployment of boot kits — a type of malware capable of persistently infecting the system at a fundamental level.

The vulnerability was first brought to public attention through a detailed report by Bleeping Computer, outlining the specifics of the LogoFAIL bugs and their potential impact on system security. The report highlights the technical nuances of the vulnerabilities, emphasizing how attackers could exploit weaknesses in UEFI code to compromise the integrity of the boot process.

Further exploration of LogoFAIL is presented in a comprehensive set of slides from a Black Hat USA 2009 presentation by researcher Rafal Wojtczuk. The slides provide an in-depth analysis of the attack vectors associated with LogoFAIL, offering valuable insights into the technical aspects of the vulnerabilities.

In a more recent context, the Black Hat Europe 2023 schedule includes a briefing on LogoFAIL, promising to delve into the security implications of image parsing during system boot. This presentation will likely provide an updated perspective on the ongoing efforts to address and mitigate the risks that LogoFAIL poses.

The gravity of LogoFAIL is underscored by additional resources such as the analysis on binarly.io and the UEFI Forum's document on firmware security concerns and best practices. Collectively, these sources highlight the urgency for the industry to address and remediate the vulnerabilities in the UEFI code, emphasizing the need for robust security measures to safeguard systems from potential exploitation.

Working together to solve these vulnerabilities becomes critical as the cybersecurity community struggles with the consequences of LogoFAIL. The industry must collaborate to establish robust countermeasures for the UEFI code, guaranteeing system resilience against the constantly changing cyber threat environment.


Read more »
Interviews
Black hat Conference Cyber Security Cybersecurity Information Security Interview with Security Researcher Interviews

Seasides Conference: Interviewing Prashant Kv and Parveen

1) Could you please start by telling us a bit about yourself and your background? 

Prashant: Hi, my name is Prashant KV. I have been working in information security for more than 15 years. I started my career as a developer and then transitioned into application security. Over the years, I have managed and led many penetration testing, source code review, and other InfoSec tasks. and led many penetration testing, source code review, and other InfoSec tasks. 

I was a part of the null and OWASP Bangalore chapter until 2013. In 2013, I moved to the USA, and I have been living here ever since. Presently, I also manage the OWASP Bay Area chapter. 

Parveen: Parveen, who possesses over 12 years of experience, currently serves as a Product Security Analyst at an Organization specializing in bug bounties. His expertise spans various areas, including Web application testing, Network penetration testing, Thick Client Testing, security assessment of Large Industry printers, Red Teaming, and Mobile Application Testing. In addition to his professional role, Parveen is the co-founder of the OWASP Seaside Conference in Goa and the founder of Bug Bounty Village. He has also presented at both the C0c0n and Seasides Conference. 

2) What inspired you to start the Seasides Conference? Maybe share a story of how you came up with the idea for the Seasides Conference.  

Prashant: Barring a few exceptions, I have attended almost all Nullcon events to date. During the Nullcon training days, we used to simply roam around on the beaches. At that time, we thought, "Why not do something useful?" The idea came to us: "Why not organize some free events that provide quality education to individuals from humble backgrounds?" Hence, the idea of Seasides was born. We were fortunate that Bugcrowd was our first sponsor, and then we secured good sponsors all along the way. If it weren't for the generous sponsorships and our enthusiastic team, we would not have been able to sustain this event.  

Parveen: The Seasides conference's motto is to offer free cybersecurity training to the community, aligning with the ethos of the hacking culture that believes knowledge should be freely accessible to all. We aim to foster the growth of the cybersecurity community without imposing the burden of conference fees on individuals seeking to expand their knowledge in this field. 

3) What were the major challenges you faced in the early stages of establishing the conference? 

Prashant: Finding a venue within our budget was a major challenge. The first event we organized took place at a location with false partitions and no air conditioning. Nevertheless, people showed up with great enthusiasm, and the event was a huge success. We only determine our expenditure after we have estimates of sponsorship, which helps us keep ourselves in check. 

Parveen: The major challenge we faced was figuring out how to initiate the conference and garner support from sponsors, especially given our limited experience in conference management. Initially, our plan was to provide training to only 30-40 students. However, as things progressed, the cybersecurity community in India expressed significant interest in our event. Consequently, we had to transition from a limited number of students to an open-ended approach while still maintaining our commitment to free access and ensuring the quality of the training materials. 

Over time, sponsors began to place their trust in our initiatives, and they started providing sponsorship. Last year, our conference saw tremendous growth, with more than 500 attendees participating. 

4) What are the primary objectives and goals of the Seasides Conference? Perhaps you can elaborate on the main themes of the Conference. 

Prashant: The main objective of the conference is to provide premium quality training to attendees free of cost. We consider the event a success even if we are able to change just one life. Our event primarily consists of training sessions, the topics of which can help students and professionals enter the field of cybersecurity or master certain subjects. This year, we have each day dedicated to specific skill levels. For example, the first day is for advanced training, the second day is for basic level, and the third day focuses on enterprise security-related topics. 

One of the major fun aspects of the conference is our memes and informational posts. We are fortunate that our core group of volunteers has grown from single digits to more than 50 today. Our volunteering team thoroughly enjoys creating memes and blending humor with technology. 

Parveen: We have consistently adhered to the principle that our conference should revolve solely around the sharing of knowledge. Our traditional sessions on topics such as application security, blockchain security, and car hacking will remain a staple. As always, training sessions, meals, and social events will continue to be free and accessible to all. 

We proudly organize Seasides (https://www.seasides.net), a no-cost Infosec conference in India. The conference's primary goal is to provide high-quality cybersecurity training to everyone, free of charge. Furthermore, we extend a scholarship opportunity of 5,000 INR to underprivileged students, enabling them to participate in this event. 

5) How does the conference contribute to the cybersecurity and technology community? 

Prashant: The main objective is to expose students and professionals to various domains in information security. In addition to raising awareness, our events have also assisted many young students in securing jobs. Our sponsors actively seek out talented individuals, and we have successfully recruited some excellent candidates from the event.  

Parveen: In our own modest manner, we are contributing to the growth of India's cybersecurity ecosystem. Last year, several organizations conducted recruitment activities at our conference and even extended job offers on the spot, including many of our scholarship recipients. We are optimistic that more organizations will recognize the talent pool at Seasides and choose to recruit skilled individuals from our event in the future. 

6) There are several renowned cybersecurity conferences like DEFCON, BlackHat, and our own Indian NULL. How does Seasides Conference differentiate itself from these events which is to mean what unique features or offerings does the Seasides Conference bring to the table that sets it apart from other similar conferences? 

Prashant: We aspire to be among the list of conference names you mentioned. Nullcon has done a fabulous job of attracting top-quality researchers from all over the world to India. Nullcon is widely regarded as the best conference in Asia, and many of us have grown and learned through our experiences at Nullcon. 

Our primary focus is on students and young professionals who wish to enter this field. Many students face financial constraints when it comes to covering travel, accommodation, and conference fees. We aim to provide them with the opportunity to experience the atmosphere of world-class conferences without worrying about the cost. 

Parveen: Most of the conferences mentioned above serve as excellent platforms for connection, learning, and networking. However, attending these conferences often comes with substantial financial expenses, which not everyone in India can readily afford. In contrast, Seasides offers high-quality training completely free of cost, making it accessible to anyone on a first-come, first-served basis. 

7) How has the Seasides Conference fostered a sense of community among attendees, speakers, and participants? 

Prashant: As mentioned earlier, our core group of volunteers has grown from single digits to more than 50 today. Even after the conference, team members stay in touch and are always on the lookout to take the conference to the next level. In that way, we are a close-knit community.  

Parveen: Fortunately, all of our speakers have generously offered their training services free of charge up to this point, sharing the same goal of educating and nurturing young minds in the field of cybersecurity. This year, we are introducing a change by compensating our workshop trainers for their dedication and hard work. Additionally, we are bringing in renowned experts from outside India to share their experiences and provide valuable insights to our attendees. 

8) What opportunities does the conference provide for networking and collaboration within the cybersecurity field? 

Prashant: Seasides parties are always legendary, and as much as people look forward to the training, they also eagerly anticipate the Seasides parties. This is a crucial aspect of our networking. In addition to that, we have WhatsApp groups and social media interactions that facilitate collaboration among attendees. 

Parveen: Our conference draws a diverse audience, including both professionals and students, creating a valuable opportunity for mutual connection and learning. To further enhance the experience, we are introducing a Career Booster session at the conference. In this session, esteemed professionals will review resumes and assess aptitude through interviews, providing students with a unique opportunity to gain real interview experience. 

Furthermore, this year, we are introducing a distinctive element by bringing in an English teacher. This instructor will focus on teaching effective communication and interview skills, equipping attendees with essential abilities to excel in their careers. 

9) How do you ensure a balance between technical depth and accessibility for a diverse audience? 

Prashant: We have wCTF, a dedicated Capture The Flag (CTF) competition, to encourage more women to participate in playing CTFs. We consistently have a good number of women trainers and attendees. With a wide range of training sessions, we strive to ensure that people of all skill levels can attend the event and derive value from it. 

Parveen: To create a well-rounded conference experience, we implement several strategies. First and foremost, we curate a diverse speaker lineup that caters to a wide range of expertise levels and backgrounds. This ensures attendees have a plethora of options, from deep technical talks to more accessible introductions. Additionally, we organize the conference into distinct tracks, separating highly technical sessions from those more suitable for beginners. To further enhance the learning experience, we offer workshops and training sessions tailored to various skill levels.  

Our panel discussions provide high-level insights and encourage engaging conversations for a broader audience. Session descriptions are meticulously crafted to indicate the intended audience and technical depth, empowering attendees to make informed choices. Moreover, we foster networking opportunities, enabling knowledge exchange between beginners and experts. Q&A sessions following talks allow attendees to seek clarification and bridge the gap between technical depth and accessibility. Lastly, we highly value attendee feedback, using it to refine future conferences and strike the perfect balance between technical depth and accessibility. 

10) As the founder, where do you envision the Seasides Conference in the next few years? Any plans for expansion or evolution?  

Prashant: We aim to introduce more hardware hacking sessions and invite more researchers who specialize in hardware hacking. This is one area where we aspire to make a contribution and encourage the growth of hardware hacking expertise within India. 

Parveen: As the founder of the Seasides Conference, I am fully dedicated to charting a dynamic and promising course for our event's future. To begin, we are committed to extending the conference's influence well beyond the borders of India. This will be achieved through the inclusion of virtual components and the organization of satellite events across diverse regions, aiming to attract an international audience eager to engage with our vibrant cybersecurity community. Additionally, we will introduce specialized tracks dedicated to emerging trends within the field. These tracks will explore cutting-edge topics such as AI and machine learning security, IoT security, quantum computing, and revolutionary technologies like blockchain. This forward-looking approach ensures that our attendees remain at the forefront of the ever-evolving cybersecurity landscape. 

11) Is there anything else you'd like to share with the CySecurity News audience about the Seasides Conference or your journey as its founder? 

Prashant: A tremendous amount of effort goes into the planning and execution of this event. Beyond the goodwill it generates, we don't expect much in return. All we ask from attendees is to share some kind words on their own accord. Particularly, we appreciate it when they express gratitude towards our sponsors and hardworking volunteers. 

Parveen: My journey as a co-founder of the Seasides conference is undoubtedly rewarding and heartwarming. The stories of students receiving scholarships and job opportunities through Seasides, and how it positively impacts their lives and families, are incredibly fulfilling. It's a testament to the valuable work our team is doing to support and empower the cybersecurity community. The sense of making a meaningful difference in people's lives and contributing to the growth of the industry is a source of great pride and satisfaction.  

12) Lastly, how can interested individuals learn more about the Seasides Conference and get involved? 

Prashant: Certainly, I encourage anyone interested in volunteering for Seasides to check out the website at www.seasides.net and follow their social media handles. You can also reach out to them via direct message (DM) as they are always on the lookout for new volunteers with diverse backgrounds and skills. 

Read more »
WormGPT
AI Tool BEC Black hat Technology Threat Landscape WormGPT

AI Malware vs. AI Defences: WormGPT Cybercrime Tool Predicts a New Era

 

Business email compromise (BEC) attacks are being launched by cybercriminals with the assistance of generative AI technology, and one such tool used is WormGPT, a black-hat alternative to GPT models that has been designed for malicious goals. 

SlashNext said that WormGPT was trained on a variety of data sources, with a concentration on malware-related data. Based on the input it receives, WormGPT can produce highly convincing phoney emails by creating language that resembles human speech. 

Screenshots of malicious actors exchanging ideas on how to utilise ChatGPT to support successful BEC assaults are shown in a cybercrime form, demonstrating that even hackers who are not fluent in the target language can create convincing emails using gen AI. 

The research team also assessed WormGPT's potential risks, concentrating particularly on BEC assaults. They programmed the tool to generate an email intended to persuade an unsuspecting account manager into paying a fake invoice.

The findings showed that WormGPT was "strategically cunning," demonstrating its capacity to launch complex phishing and BEC operations, in addition to being able to use a convincing tone. 

The research study noted that the creation of tools highlights the threat posed by generative AI technologies, including WormGPT, even in the hands of inexperienced hackers.

"It's like ChatGPT but has no ethical boundaries or limitations," the report said. The report also highlighted that hackers are developing "jailbreaks," specialised commands intended to trick generative AI interfaces into producing output that may involve revealing private data, creating offensive content, or even running malicious code. 

Some proactive cybercriminals are even going so far as to create their own, attack-specific modules that are similar to those used by ChatGPT. This development could make cyber defence much more challenging. 

"Malicious actors can now launch these attacks at scale at zero cost, and they can do it with much more targeted precision than they could before," stated SlashNext CEO Patrick Harr. "If they aren't successful with the first BEC or phishing attempt, they can simply try again with retooled content." 

The growth of generative AI tools is adding complications and obstacles to cybersecurity operations, as well as highlighting the need for more effective defence systems against emerging threats. 

Harr believes that AI-aided BEC, malware, and phishing attacks may be best combated using AI-aided defence capabilities. He believes that organisations will eventually rely on AI to handle the discovery, detection, and remediation of these dangers since there is no other way for humans to stay ahead of the game. Despite its directive to block malicious requests, a Forcepoint researcher persuaded the AI tool to construct malware for locating and exfiltrating certain documents in April. 

Meanwhile, developers' enthusiasm for ChatGPT and other large language model (LLM) tools has left most organisations entirely unable to guard against the vulnerabilities introduced by the emerging technology.
Read more »
Vulnerabilities and Exploits
Black hat CVE vulnerability Google iOS PoC Exploit Code Vulnerabilities and Exploits

Onapsis Report: Flaws to be Fixed Immediately

CISA urged government organizations to fix the seven vulnerabilities it had added to its inventory on Thursday by September 8. The 'Known Exploited Vulnerabilities Catalog' is a list of CISA vulnerabilities that should be patched because they are known to be actively exploited in cyberattacks. 
List of vulnerabilities actively used by hackers, including the most recent security bugs from Apple. Google, SAP, and Microsoft.

Vulnerabilities

Onapsis disclosed the major SAP CVE-2022-22536 vulnerability in February and gave it a 10/10 severity level. CISA promptly alerted administrators of the need to fix the flaw because failure to do so could result in data loss, risks of financial fraud, disruptions of crucial business processes, ransomware attacks, and the cessation of all operations

The vendor addressed the issue in February in Web Dispatcher, Content Server 7.53, NetWeaver Application Server ABAP, NetWeaver Application Server Java, and ABAP Platform.

According to Doyhenard's research study, "both CVE-2022-22536 and CVE-2022-22532 were remotely exploitable and could be utilized by unauthenticated attackers to entirely compromise any SAP installation on the planet."

On Wednesday, Apple announced security upgrades for the CVE-2022-32893 and CVE-2022-32894 flaws in macOS and iOS/iPadOS, stating that these vulnerabilities might be used to execute code on unsecured devices.

Apple did not explain how the vulnerabilities were being exploited, however, given that CVE-2022-32894 permits code to be run with kernel privileges, it would enable total device takeover.

Google Chrome 104.0.5112.101, which was released on Tuesday, has a remedy for the CVE-2022-2856 vulnerability. Vulnerability researcher Hossein Lotfi found more information about the problem, albeit it hasn't been disclosed how hackers have used it in attacks.

Microsoft resolved the CVE-2022-21971 remote code execution vulnerability in the February 2022 Patch Tuesday, but there is no data on how it is currently being used in the wild. However, CVE-2022-26923 affects Active Directory Domain Services and involves privilege escalation. Days after Microsoft issued a fix in May, PoC exploits started to surface.

Martin Doyhenard, an Onapsis researcher, will give a paper on exploiting inter-process communication in SAP's HTTP server on August 10 at the Black Hat conference and on August 13 at the Def Con conference. The 18-page document Onapsis published describing its findings is also available.

FCEB agencies are required to address the discovered vulnerabilities by the deadline to safeguard their networks from attacks that take advantage of the flaws in the catalog, as stated in Binding Operational Directive (BOD) 22-0: Reducing the Significant Risk of Known Exploited Vulnerabilities.

Read more »
South Asia
APT Group Black hat Cyber Attacks Sophisticated Assaults South Asia

SideWinder Launched Nearly 1000 Assaults in Two Years

 

The South Asian APT organization SideWinder has been on a tear for the past two years gone, launching nearly 1,000 raids and deploying increasingly sophisticated assault techniques. 

Earlier this week, Noushin Shaba, a senior security researcher at Kaspersky shared her findings at the Black Hat Asia conference regarding SideWinders’ attacking methodologies. The APT group primarily targets military and law enforcement agencies in Pakistan, Bangladesh, and other South Asian countries.

SideWinder has been active since at least 2012 and primarily targets military and law enforcement agencies in Pakistan, Bangladesh, and other South Asian countries. In recent years, they have also targeted departments of Foreign Affairs, Scientific and Defence organizations, Aviation, IT industry, and Legal firms. Some of their newly registered domains and spear-phishing documents indicate this threat actor is expanding the geography of its targets to other countries and regions. 

SideWinder has become one of the planet's most prolific hacking groups by expanding the geography of its targets to other countries and regions. However, the reason behind its expansion remains unknown. 

Last year, the group deployed new obfuscation techniques for the JavaScript it drops into .RTF files, .LNK files, and Open Office documents. Kaspersky has observed unique encryption keys deployed across over 1,000 malware samples sourced from the group.

Threat actors even ran two versions of its obfuscation techniques over several months, and appear to have shifted from an older and less stealthy version to its current malware. SideWinder also exchanges domains regularly for its command-and-control servers as well as for its download servers. That's mostly to ensure that if a domain gets detected, it still has a way to get to its targets, Shabab explains. Spreading activity across different domains in the attacks is less likely to raise suspicion as well. 

In January 2020, Trend Micro researchers revealed that they had unearthed SideWinder exploiting a zero-day local privilege-escalation vulnerability (CVE-2019-2215) that affected hundreds of millions of Android users when it was first published. 

“I think what really makes them stand out among other APTs [advanced persistent threat] actors are the big toolkit they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure. I have not seen 1,000 attacks from a single APT from another group until further,” Shaba stated.
Read more »
DBREACH
Black hat Cyber Attacks. Machine learning. Databases risk DBREACH

Researchers Reveal DBREACH as New Attack Against Databases

 

In reference to the past record, many organizations have observed that databases are critical applications for any organization, which give cybercriminals more chances to target them. 

Recently hackers review has reported news relating to the Black Hat US 2021 hybrid event in which hackers have been encouraged to collaborate with federal agencies against cybercriminals – in the same event a group of cyber intelligence expressed a new type of cyber attack against databases that could lead to information reveal and loss. The attack has been identified as DBREACH, which is an acronym for Database Reconnaissance and Exfiltration via Adaptive Compression Heuristics. 

Mathew Hogan one of the cyber intelligence members said that in modern databases, compression is often paired with encryption in order to reduce storage costs. Although that can increase risks as it could lead to exploitation by a class of vulnerabilities known as side-channel attacks. 

“With DBREACH, an attacker is able to recover other users’ encrypted content by utilizing a compression side channel," Hogan said. "We believe this is the first compression side-channel attack on a real-world database system." 

Along with this, Hogan and his colleagues in a much explained 121-slide presentation have provided thorough detail on how a DBREACH attack could work. Reportedly, DBREACH goes with the same techniques as the CRIME (Compression Ratio Info-leak Made Easy) attack on Transport Layer Security (TLS) that was first reported in 2013. 

"We believe that this threat model is realistic and achievable," Hogan further told. "The update capability can be achieved through a front-end web interface that's backed up by a database table, which is something that's really common in a lot of databases." 

How can database users mitigate the risk of DBREACH 

There are many ways for database users to mitigate the risk for DBREACH. One of these ways, as per Hogan, includes not using column-level permissions. He also recommended organizations to monitor database usage patterns for unusual activity which then would be similar to Denial of Service (DoS) detection, looking for a single user that is performing an unusually high number of updates. 

"The only foolproof method for preventing this attack is to turn off compression…” “…We believe that this really drives home the point that compression and encryption should be combined very carefully, lest you or your system fall victim to compression side-channel attack," Hogan added.
Read more »
Zero Days
Black hat Cyber Security Ransom Supply Chains Zero Days

Black Hat 2021: Zero-days, Ransoms and Supply Chains

 

During Black Hat 2021, Corellium COO Matt Tait warned that the amount of zero-days exploited in the open is "off the charts." 

The primary concerns Tait highlighted during his Wednesday keynote were a significant rise in the number of zero-days identified and exploited in the wild, stolen zero-days, and supply chain assaults. 

He claims that all three are to blame for several big breaches in the last two years, including the Colonial Pipeline, Kaseya, SolarWinds, and Microsoft Exchange hacks. As per his keynote, the number of zero-days discovered and exploited in the wild has reached heights in the previous years. 

"This is both in the government sector, doing espionage, and in the financially motivated crimeware industry, ransomware. It's getting to the point now where it's beginning to overwhelm our ability to respond in the defensive sector," Tait stated during the keynote. 

He added attackers would most likely need a chain of flaws to attack a system and obtain access. To accomplish so, they'll need to create a complete zero-day chain 

"And these things are very expensive thanks to platform security investments. Every time an attacker has a full chain and wants to use it, that's a risk. The possibility that the zero-day chain or some aspects of that intrusion gets detected can be a very expensive cost for the attacker." 

Similarities in high-profile attacks

He added that top attacks like the one on the Colonial Pipeline at first sight, which caused gas shortages in some places, and the more recent NSO Pegasus campaign, which targeted 50,000 targets across a variety of mobile devices. At first glance, they all appear to be quite different however, a deeper examination indicates certain similarities. 

According to Tait, the attacks that resulted in physical, real-world problems were massive ransomware-based attacks. Furthermore, they all appear to be driven by supply chain compromises linked with large volume and often indiscriminate targeting. The usage of stolen days is the third and most prominent. 

He explained, North Korea, for instance, targeted security researchers to obtain access to specific studies. That research was used to enable some of these major operations, including the Microsoft Exchange email server attack, in which Chinese-nation state hackers exploited several zero-day vulnerabilities. 

"In both the Kaseya hack and exchange hacks, there's credible evidence that security researchers found these vulnerabilities, these exact vulnerabilities and written exploits for them and at some point between that and the patch being released, or shortly after, somehow these proof of concepts, these working exploits managed to get into the hands of these offensive actors who used them," Tait stated. 

"Governments are interested in taking your zero-days and your need to secure your systems and your vendor communications properly. In the event that you have these, do be careful what you publish. Of course, it's your exploits, do what you want with it -- but be aware that there are trade-offs associated with this." 

The reason is related to the lowest possible price. If a government can obtain a free zero-day, it affects the economics of utilizing it, according to Tait, because losing it costs nothing. Stolen zero-day does modify the economics of zero-day exploitation. 

The rising danger of supply chain attacks

Tait described supply chain assaults as a whole different type of cybercrime danger. The entire economics of mass exploitation, he explains, is turned upside down because of supply chain attacks. 

According to the security expert, bug bounty programs should be re-evaluated and ensure that vulnerabilities are revealed and patched as soon as possible to aid safeguard the software supply chain. 

According to Tait, researchers are now motivated to "sit on" high-impact vulnerabilities in the hopes of developing them into "full chain" attacks. While these chains provide the highest reward payouts, each day a zero-day stays unpatched is a possibility for another, possibly malicious third party to discover it. They utterly reshape the entire economics of mass exploitation, according to him. 

The time it takes for a supply chain assault to be discovered, according to Ryan Olson, vice president of threat intelligence at Palo Alto Networks' Unit 42 division, is the major issue. Companies might be hacked for months before they realize they've been hacked. It's especially terrible for smaller software companies without an IT department or a security operations center. 

Supply chain assaults, according to Tait, may be used for cyber espionage, such as in the instance of SolarWinds, when high-profile clients were harmed, as well as physical harm, such as ransomware. Tait concluded supply chain infections can only be fixed by platform vendors arguing that government intervention or regulation will do little to address the problem.
Read more »
Wi-fi
Black hat Cybersecurity Spectra Wi-fi

New Spectra Attack that breaks the division between Wi-Fi and Bluetooth to be released at Black Hat Security Conference


The developers call it "Spectra." This assault neutralizes "combo chips," specific chips that handle various kinds of radio wave-based remote correspondences, for example, Wi-Fi, Bluetooth, LTE, and others. The attack system is set to release in August at the Black Hat Security Conference in a virtual session. The full academic paper with all details will also be published in August. The researchers teased a few details about the attack in an upcoming Black Hat talk, "Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum, and wireless chips need to arbitrate the channel access."


The Spectra assault exploits the coexistence mechanism that chipset merchants incorporate within their devices. Combo chips utilize these systems to switch between wireless technologies at a quick pace. Specialists state that while this coexistence mechanism speeds execution, they likewise give a chance to attackers for side-channel assaults. Jiska Classen from Darmstadt Technical University and Francesco Gringoli researcher from the University of Brescia state that they are the first to explore such possibility of using the coexistence mechanism of Combo chips to break the barrier between Wireless.

"We specifically analyze Broadcom and Cypress combo chips, which are in hundreds of millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series," the two academics say. "We exploit coexistence in Broadcom and Cypress chips and break the separation between Wi-Fi and Bluetooth, which operate on separate ARM cores." Results change. However, the research group says that specific situations are possible after a Spectra assault. "In general, denial-of-service on spectrum access is possible.

The associated packet meta-information allows information disclosure, such as extracting Bluetooth keyboard press timings within the Wi-Fi D11 core," Gringoli and Classen said. "Moreover, we identify a shared RAM region, which allows code execution via Bluetooth in Wi-Fi. It makes Bluetooth remote code execution attacks equivalent to Wi-Fi remote code execution, thus, tremendously increasing the attack surface." Though the research used Broadcom and Cypress chips for Spectra attacks, the researchers Gringoli and Classen are sure that this attack will work on other chips.
Read more »
Subscribe to: Posts (Atom)