Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CyberCrime. Show all posts
Technology
AGI AI Artificial Intelligence CyberCrime Cybersecurity Cyberthreats Human Level Intelligence OpenAI Technology

OpenAI's O3 Achieves Breakthrough in Artificial General Intelligence

 



 
In recent times, the rapid development of artificial intelligence took a significant turn when OpenAI introduced its O3 model, a system demonstrating human-level performance on tests designed to measure “general intelligence.” This achievement has reignited discussions on artificial intelligence, with a focus on understanding what makes O3 unique and how it could shape the future of AI.

Performance on the ARC-AGI Test 
 
OpenAI's O3 model showcased its exceptional capabilities by matching the average human score on the ARC-AGI test. This test evaluates an AI system's ability to solve abstract grid problems with minimal examples, measuring how effectively it can generalize information and adapt to new scenarios. Key highlights include:
  • Test Outcomes: O3 not only matched human performance but set a new benchmark in Artificial General Intelligence (AGI) development.
  • Adaptability: The model demonstrated the ability to draw generalized rules from limited examples, a critical capability for AGI progress.
Breakthrough in Science Problem-Solving 
 
Beyond the ARC-AGI test, the O3 model excelled in solving complex scientific questions. It achieved an impressive score of 87.7% compared to the 70% score of PhD-level experts, underscoring its advanced reasoning abilities. 
 
While OpenAI has not disclosed the specifics of O3’s development, its performance suggests the use of simple yet effective heuristics similar to AlphaGo’s training process. By evaluating patterns and applying generalized thought processes, O3 efficiently solves complex problems, redefining AI capabilities. An example rule demonstrates its approach.

“Any shape containing a salient line will be moved to the end of that line and will cover all the overlapping shapes in its new position.”
 
O3 and O3 Mini models represent a significant leap in AI, combining unmatched performance with general learning capabilities. However, their potential brings challenges related to cost, security, and ethical adoption that must be addressed for responsible use. As technology advances into this new frontier, the focus must remain on harnessing AI advancements to facilitate progress and drive positive change. With O3, OpenAI has ushered in a new era of opportunity, redefining the boundaries of what is possible in artificial intelligence.
Read more »
Over AI Standarization
AI Algorithms AP Artificial Intelligence ChatGPT Cyber Attacks CyberCrime Cybersecurity CyberThreat Dutch Authority Flags Human Centred Approach OpenAI Over AI Standarization

Dutch Authority Flags Concerns Over AI Standardization Delays

 


As the Dutch privacy watchdog DPA announced on Wednesday, it was concerned that software developers developing artificial intelligence (AI) might use personal data. To get more information about this, DPA sent a letter to Microsoft-backed OpenAI. The Dutch Data Protection Authority (Dutch DPA) imposed a fine of 30.5 million euros on Clearview AI and ordered that they be subject to a penalty of up to 5 million euros if they fail to comply. 

As a result of the company's illegal database of billions of photographs of faces, including Dutch people, Clearview is an American company that offers facial recognition services. They have built an illegal database. According to their website, the Dutch DPA warns that Clearview's services are also prohibited. In light of the rapid growth of OpenAI's ChatGPT consumer app, governments, including those of the European Union, are considering how to regulate the technology. 

There is a senior official from the Dutch privacy watchdog Autoriteit Persoonsgegevens (AP), who told Euronews that the process of developing artificial intelligence standards will need to take place faster, in light of the AI Act. Introducing the EU AI Act, which is the first comprehensive AI law in the world. The regulation aims to address health and safety risks, as well as fundamental human rights issues, as well as democracy, the rule of law, and environmental protection. 

By adopting artificial intelligence systems, there is a strong possibility to benefit society, contribute to economic growth, enhance EU innovation and competitiveness as well as enhance EU innovation and global leadership. However, in some cases, the specific characteristics of certain AI systems may pose new risks relating to user safety, including physical safety and fundamental rights. 

There have even been instances where some of these powerful AI models could pose systemic risks if they are widely used. Since there is a lack of trust, this creates legal uncertainty and may result in a slower adoption of AI technologies by businesses, citizens, and public authorities due to legal uncertainties. Regulatory responses by national governments that are disparate could fragment the internal market. 

To address these challenges, legislative action was required to ensure that both the benefits and risks of AI systems were adequately addressed to ensure that the internal market functioned well. As for the standards, they are a way for companies to be reassured, and to demonstrate that they are complying with the regulations, but there is still a great deal of work to be done before they are available, and of course, time is running out,” said Sven Stevenson, who is the agency's director of coordination and supervision for algorithms. 

CEN-CELENEC and ETSI were tasked by the European Commission in May last year to compile the underlying standards for the industry, which are still being developed and this process continues to be carried out. This data protection authority, which also oversees the General Data Protection Regulation (GDPR), is likely to have the shared responsibility of checking the compliance of companies with the AI Act with other authorities, such as the Dutch regulator for digital infrastructure, the RDI, with which they will likely share this responsibility. 

By August next year, all EU member states will have to select their AI regulatory agency, and it appears that in most EU countries, national data protection authorities will be an excellent choice. The AP has already dealt with cases in which companies' artificial intelligence tools were found to be in breach of GDPR in its capacity as a data regulator. 

A US facial recognition company known as Clearview AI was fined €30.5 million in September for building an illegal database of photos and unique biometric codes linked to Europeans in September, which included photos, unique biometric codes, and other information. The AI Act will be complementary to GDPR, since it focuses primarily on data processing, and would have an impact in the sense that it pertains to product safety in future cases. Increasingly, the Dutch government is promoting the development of new technologies, including artificial intelligence, to promote the adoption of these technologies. 

The deployment of such technologies could have a major impact on public values like privacy, equality in the law, and autonomy. This became painfully evident when the scandal over childcare benefits in the Netherlands was brought to public attention in September 2018. The scandal in question concerns thousands of parents who were falsely accused of fraud by the Dutch tax authorities because of discriminatory self-learning algorithms that were applied while attempting to regulate the distribution of childcare benefits while being faced with discriminatory self-learning algorithms. 

It has been over a year since the Amsterdam scandal raised a great deal of controversy in the Netherlands, and there has been an increased emphasis on the supervision of new technologies, and in particular artificial intelligence, as a result, the Netherlands intentionally emphasizes and supports a "human-centred approach" to artificial intelligence. Taking this approach means that AI should be designed and used in a manner that respects human rights as the basis of its purpose, design, and use. AI should not weaken or undermine public values and human rights but rather reinforce them rather than weaken them. 

During the last few months, the Commission has established the so-called AI Pact, which provides workshops and joint commitments to assist businesses in getting ready for the upcoming AI Act. On a national level, the AP has also been organizing pilot projects and sandboxes with the Ministry of RDI and Economic Affairs so that companies can become familiar with the rules as they become more aware of them. 

Further, the Dutch government has also published an algorithm register as of December 2022, which is a public record of algorithms used by the government, which is intended to ensure transparency and explain the results of algorithms, and the administration wants these algorithms to be legally checked for discrimination and arbitrariness.
Read more »
Technology
Border Security Force CyberCrime Cyberhackers Cybersecurity Cyberthreats GPS Technology

Rising GPS Interference Threatens Global Aviation and Border Security

 


A recent report by OPS Group, a global aviation safety network, has highlighted a sharp rise in GPS interference across several global conflict zones, including India’s borders with Pakistan and Myanmar. This interference poses significant risks to passenger aircraft flying over these regions, raising serious safety concerns.

Causes of GPS Interference

According to the September report, the increase in GPS interference near borders stems from enhanced security measures and the widespread use of drones for illicit activities. These factors have contributed to the rise of “spoofing,” a cyberattack technique where false GPS signals are transmitted to deceive navigation systems. By manipulating GPS signals, spoofing can create false positions, speeds, or altitudes, leading to impaired navigation accuracy and potential aviation incidents.

To counter these threats, technologies like the Inertial Reference System (IRS) provide an alternative to GPS by calculating positions independently. The IRS offers similar accuracy and is unaffected by signal disruptions, making it a valuable backup for navigation systems in high-risk zones.

India has implemented GPS jamming technologies along its border with Pakistan to enhance security and combat drone-based smuggling operations. These drones, often used to transport narcotics, weapons, and counterfeit currency, have become a growing concern. Reports indicate that GPS interference in the region has reached levels of 10%, significantly hindering illegal drone activity. The Border Security Force (BSF) has recovered a range of contraband, including narcotics and small arms, thanks to these efforts.

Drone activity has surged in recent years, particularly along the India-Pakistan border. In Punjab alone, sightings increased from 48 in 2020 to 267 in 2022, accounting for over 83% of reported drone activities along this border. The eastern border has also seen a rise in drone use for smuggling gold, exotic wildlife, and other contraband from Myanmar and Bangladesh. While effective against drones, GPS jamming can inadvertently impact civilian navigation systems, affecting vehicle and aircraft operations in the vicinity.

Global Aviation Safety Concerns

The issue of GPS interference extends beyond border security and affects global aviation. During this year’s 14th Air Navigation Conference held by the International Civil Aviation Organization (ICAO) in Montreal, delegates addressed the growing risks posed by interference with the Global Navigation Satellite System (GNSS). Such disruptions can compromise the accuracy of aircraft positioning and navigation systems, raising safety concerns.

To mitigate these risks, the conference proposed measures such as enhanced communication between stakeholders, improved information-sharing mechanisms, and the establishment of a global contingency plan for GNSS signal outages. These initiatives aim to reduce the impact of GPS interference on aviation safety and ensure continuity in navigation services.

The rising prevalence of GPS interference underscores the need for robust countermeasures and international collaboration. While advancements in jamming technologies and alternative navigation systems address immediate threats, a long-term strategy focused on securing navigation infrastructure and mitigating interference is essential for safeguarding both national security and global aviation operations.

Read more »
Healthcare system
Cyber Security Cyberattacks CyberCrime Cyberhackets Cyberthreats Health and Human Service Healthcare system

Transforming Cybersecurity Protocols for US Healthcare Systems

 


In a proposal posted on Friday in the Federal Register, the Office for Civil Rights of the US Department of Health and Human Services (HHS) outlined several new requirements that could improve the cybersecurity practices of healthcare organizations. The proposal, which includes requirements for multifactor authentication, data encryption, and routine vulnerability and breach scans, was posted to the Federal Register on Friday. 

Furthermore, anti-malware protection for systems handling sensitive information will be mandated, network segmentation will be implemented, backup and recovery controls will be separated, and yearly audits will be conducted to ensure compliance with the law. Additionally, the new requirements will require that sensitive information systems be protected against malware, the network must be segmented, backup and recovery controls must be separate, and compliance with these requirements must be monitored annually.

Since healthcare organizations hold such sensitive data and provide critical services to society, they have become increasingly vulnerable to threat actors. As a result of this, organizations have become increasingly forced to pay large ransoms for their systems and information to continue to operate as a consequence of the attacks. HHS' Office for Civil Rights (OCR) has proposed strict cybersecurity rules that will be published as a final rule within 60 days, and they will be issued by the Office of Civil Rights. 

Under these regulations, healthcare organizations will be required to protect protected health information by encrypting it, using multifactor authentication, and segmenting their networks to prevent attackers from moving laterally through the networks. It was announced on Thursday that Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, said that it is necessary to establish these requirements in light of the huge number of Americans whose data was compromised due to large healthcare information breaches. 

As part of the proposals, data will be encrypted so that it cannot be accessed, even if it is leaked, and compliance checks will be required to ensure networks are compliant with cybersecurity regulations. Moreover, HHS has shared a fact sheet outlining the proposal, which will update the HIPAA Security Rule to include information about health insurance portability and accountability. It is expected that the public comment period will be open for 60 days. 

Reuters reports that during a press briefing, US Deputy National Security Advisor Anne Neuberger stated the plan would cost $9 billion in the first year, and $6 billion in the subsequent four years, as outlined in a press briefing. A significant increase in large-scale data breaches has taken place over the past few years, and just in the last year, the healthcare industry has been victimized by several large-scale cyberattacks, including hacking into the Ascension and UnitedHealth systems that have disrupted hospitals, doctors' offices, and pharmacies. 

There has been a considerable amount of evidence over the years pointing to Chinese state-sponsored actors as responsible for cyberattacks on American companies and agencies. There has been a massive hack on US telecom companies in the last year, which was blamed on "PRC-affiliated actors" by the FBI. According to The Post, the actors, known by the name Salt Typhoon, targeted the mobile phones of diplomats, government officials, and people associated with both presidential campaigns, allegedly. Chinese officials have called the allegations of their country participating in the attack on the Treasury Department "groundless" and emphasized that "the government has always been opposed to all hacker attacks," according to The Post.

Not only does not acting cost a lot of money, but it also endangers critical infrastructure and patients' safety and has other harmful consequences," says a recent statement by one of the largest private healthcare organizations in the country, Ascension Healthcare System. In May, a ransomware attack stole nearly 5.6 million people's personal and health information. After the cyberattack, Ascension employees were inevitably forced to keep track of medications and procedures on paper because electronic patient records could no longer be accessed. 

To prevent triage delays, the healthcare giant also took some devices offline and diverted emergency medical services to other hospitals. As a result of a hacking attack on UnitedHealth Group, more than 100 million US customers were exposed to data that was sold on the dark web, causing significant disruption for patients and staff at the hospital.

The hospitals were forced to operate by hand. Neuberger asserted that Americans' sensitive healthcare data, mental health information, and other data are being "leaked onto the dark web with the possibility that individuals could be blackmailed as a result of the leak,"
Read more »
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Four-Fait Routers VulnCheck Vulnerabilities and Exploits

Critical Security Issue Hits Four-Faith Routers

 


According to VulnCheck, a critical vulnerability identified as CVE-2024-12856 has been discovered in Four-Faith industrial routers, specifically affecting the F3x24 and F3x36 models, as well as users’ machines. Evidence suggests active exploitation of this vulnerability in the wild, raising significant security concerns for industrial and enterprise users. The flaw resides in the router’s system time adjustment function, where a post-authentication vulnerability allows attackers to execute remote commands on compromised devices.

Technical Details of the Vulnerability

The routers, running firmware version 2.0, are susceptible to an authenticated remote command execution flaw via the HTTP endpoint apply.cgi. Attackers can manipulate the system time parameter using POST requests, enabling arbitrary command execution. Additionally, the firmware is configured with default credentials that, if left unchanged, can escalate the vulnerability to allow unauthenticated remote OS command injection.

Data provided by VulnCheck indicates that approximately 15,000 internet-facing routers may be affected by this issue. Exploitation campaigns have been observed since at least November 2024, with attackers altering system parameters remotely. The attacks appear to originate from multiple IP addresses and utilize Mirai-like payloads to compromise the devices. VulnCheck notes that some payloads share similarities with those used to exploit a prior vulnerability (CVE-2019-12168), although the underlying components differ.

Security researchers have identified attack patterns involving two primary IP addresses, including 178.215.238.91, as sources of active exploitation campaigns. User-Agent strings from these attacks match earlier campaigns documented in November 2024, with new payload variations targeting the identified flaw. While the attacks remain low-scale, they demonstrate a high level of persistence.

Censys data corroborates VulnCheck’s findings, suggesting that the vulnerability has been exploited consistently since its initial observation. Despite this, an official from Bains, speaking to The Hacker News, emphasized that the attacks are not widespread and appear to involve a small number of attackers using spamming techniques at a low frequency.

Mitigation Recommendations

As of now, there is no confirmation regarding the availability of security patches for the affected firmware. VulnCheck disclosed the vulnerability to Four-Faith on December 20, 2024, and awaits a response. In the interim, researchers strongly advise users to take the following measures to mitigate potential risks:

  • Immediately change default credentials on affected devices.
  • Restrict network exposure by placing routers behind firewalls or VPNs.
  • Monitor device activity for unusual or unauthorized behavior.
  • Implement detection rules, such as the Suricata rule provided by VulnCheck, to identify suspicious HTTP POST requests indicative of the attack.

Impact and Implications

By exploiting this vulnerability, attackers can gain full control over affected devices, including executing reverse shell commands to maintain persistent access while concealing their identities. Such control poses a severe threat to organizations reliant on Four-Faith routers for critical operations.

The absence of immediate patches has prompted security researchers to highlight the importance of adopting proactive measures. Organizations are advised to strengthen their defenses against suspicious activity while awaiting updates from Four-Faith. VulnCheck, adhering to responsible disclosure policies, has withheld additional technical details and information about patches until a response from the manufacturer is received.

This incident underscores the critical need for robust firmware security practices, including eliminating default credentials and ensuring timely patch management, to protect against emerging threats in industrial environments.

Read more »
Online Store Security
Cyberattacks CyberCrime Cyberfrauds Cyberhackers Cybersecurity CyberThreat JavaScript malware Online Store Security

Cyberattack Compromises European Space Agency Online Store Security

 


A malware attack on the European Space Agency's official web shop revealed that the application was hacked by loading a JavaScript script that generated a fake Stripe payment page at checkout. With an annual budget of more than 10 billion euros, the European Space Agency (ESA) is dedicated to extending the boundaries of space activity through the training of astronauts and the development of rockets and satellites for exploring our universe's mysteries. 

Thousands of people were put at risk of wire fraud after the European Space Agency (ESA) website was compromised due to the recent exploitation of a credit card skimmer, which was found to be malicious on ESA's webshop. According to researchers from Sansec, the script creates a fake Stripe payment page when the customer is at checkout, which collects information from the customer. 

As a result of the fake payment page being served directly from ESA's web shop, which mimicked an authentic Stripe interface, it appeared authentic to unsuspecting users, who were unaware of the fraudulent payment process. According to Source Defense Research, screenshots of the malicious payment page were provided alongside the real one in the post, but this attack took advantage of domain spoofing with a different top-level domain to exploit domain spoofing, using a nearly identical domain name for the attack. 

The official shop of the European Space Agency is located under the domain "esaspaceshop.com," but the attackers used the domain "esaspaceshop.pics" to deceive visitors. Sansec, who flagged the incident, emphasized that the integration of the webshop with ESA's internal systems could significantly increase the risks for both employees and customers of the agency. 

An examination of the malicious script revealed that its HTML code was obscured, which facilitated detection as well as the theft of sensitive payment information, as it contained obfuscated HTML code derived from the legitimate Stripe SDK. The malicious code was created to create a convincing fake Stripe payment interface that looked legitimate because it was hosted by the official ESA web store domain. 

Although the fake payment page was removed, researchers discovered that the malicious script remained in the source code of the site. As of today, the ESA website has been taken offline, displaying a message indicating it has been taken out of orbit for an extended period. The agency clarified that this store is not hosted by its infrastructure, and they do not manage its associated data. 

As confirmed by whois lookup records indicating different ownership between the main domain of ESA (esa.int) and the compromised web store, it is not known exactly how many customers were affected by the breach, nor what financial impact it had. According to ESA's website, the company is well known for its role in astronaut training and satellite launches. However, it has not yet provided details as to how it intends to strengthen its online security measures after the incident occurred. 

A recent cyberattack on well-respected institutions shows just how vulnerable they can be to cyber attacks, especially when their e-commerce systems are integrated into a broader organization's network. According to cybersecurity experts, e-commerce platforms are urged to prioritize robust security protocols to prevent similar incidents from occurring in the future. This can erode customer trust and result in significant financial consequences. 

The past few months have seen an increase in cyberattacks targeting e-commerce platforms, with criminals using digital skimming methods to steal payment information. Earlier in August 2024, Malwarebytes reported that it had infiltrated Magento-based e-commerce platforms with skimmer code, exposing sensitive customer information, such as credit card numbers, by November 2024, as described by Malwarebytes. 

Sucuri discovered several PHP-based skimmers, such as Smilodon, harvesting payment data covertly. Although these skimmers were highly obfuscated, their detection was significantly hindered. Finland's Cybersecurity Centre reported in December 2024 that skimming attacks were on the rise, where malicious code embedded on payment pages was used to steal credit card information. Those developments highlight the crucial need for e-commerce platforms to implement robust security measures to ensure their customers' data is protected from unauthorized access. 

It is still unclear who was responsible for these attacks, but Magecart, one of the most infamous threat groups around, has been previously linked to similar activities, including installing credit card skimmers on prominent websites, which are typical of such attacks. During March 2023, Malwarebytes speculated that this group was involved in an extensive series of attacks targeting multiple online retailers, but this was not the first mention of the group. 

The majority of victims of credit card fraud that results from such breaches can receive refunds from their banks. Cybercriminals, however, use the stolen funds to finance malicious campaigns, including malware distribution. Likely, significant damage has already been done by the time the affected cards are locked and the funds are returned, even though the stolen funds can be used to finance fraudulent campaigns.
Read more »
Unfrastructure
Cyber Attacks CyberCrime Cybersecurity CyberThreat Interlock Ransomware attack Unfrastructure

Critical Infrastructure Faces Rising Ransomware Risks

 


In October 2024, Interlock claimed to have attacked several organizations, including Wayne County, Michigan, which is known for its cyberattacks. Ransomware is characterized by the fact that the encrypted data is encrypted by an encryptor specifically designed for the FreeBSD operating system, an operating system widely used in critical infrastructure. 

In late September 2024, a unique approach was used to launch the operation, which uses an encryptor specifically designed for FreeBSD. Interlock has already attacked several organizations, including Wayne County in Michigan, which was attacked in October 2024 by a cybercriminal organization called Interlock.

During the Interlock attack, the attacker breaches corporate networks, steals data from them, spreads to other devices laterally, and encrypts their files. In addition to using double-extortion tactics, they threaten to leak stolen data unless ransom demands of hundreds of thousands to millions of dollars are met. A particular feature of Interlock is its focus on FreeBSD encryptors, which makes it uniquely different from other ransomware groups that target Linux-based VMware ESXi servers. 

FreeBSD is a widely used operating system and a prime target of malicious hackers who want to disrupt critical infrastructure and extort victims for a large sum of money. This FreeBSD encryptor was developed specifically for FreeBSD 10.4, and it is a 64-bit ELF executable that is designed specifically for FreeBSD. 

Although the sample was tested on both Linux and FreeBSD virtual machines, the execution of the code was problematic since it failed to work in controlled environments. A ransomware attack is a sophisticated type of malware that seeks to seize control of data, effectively denying access to files and systems. 

In this malicious software, advanced encryption techniques are employed to render data inaccessible without a unique decryption key exclusive to the attackers. There is usually a ransom payment, usually in cryptocurrency, which victims are required to make to restore access and secure the attackers' privacy. Security experts Simo and MalwareHunterTeam, who analyzed ransomware samples, revealed the attack's initial details and the attackers' anonymity. 

As with most ransomware attacks, Interlock follows a typical pattern: the attackers breach corporate networks, steal sensitive information, copy the data and spread to other devices, encrypting files as they are copied. In addition to using double-extortion tactics, they also threaten to leak stolen data unless the victim pays a ransom of thousands to millions of dollars, depending on the size of the ransom. It is also the focus on FreeBSD that makes Interlock particularly unique, which illustrates why this operating system has a vital role to play in critical systems. 

A major characteristic of Interlock's ransomware is its direct targeting of FreeBSD servers, which are common in web hosting, mail servers, and storage systems. Unlike other ransomware groups that usually target Linux-based VMware ESXi servers, Interlock targets FreeBSD servers. Besides being integral to critical operations, these systems serve as lucrative targets for attackers. 

In spite of FreeBSD's popularity and essential services, its focus can also pose a challenge to cybersecurity professionals. In the initial testing phase of FreeBSD's encryptor, which was explicitly compiled for the FreeBSD 10.4 operating system, it did not prove easy to execute both the FreeBSD and Linux encryptors in controlled environments, since the encryptor is written as a 64-bit ELF executable. However, despite these hurdles, Trend Micro researchers discovered further samples of the encryption, confirming its functionality, strategic focus and capabilities. 

As a reminder of the vulnerabilities within critical infrastructure, Interlock has launched its attacks to increase awareness. The fact that it uses FreeBSD's own encryptor is a troubling development in ransomware tactics. This emphasizes the importance of strong security measures to safeguard against this increasing threat. To minimize the risk and impact of such cyberattacks, organizations should prioritize improving their security strategies.

It is recommended by Ilia Sotnikov, Security Strategist at Netwrix, that organizations use multi-layered security measures to prevent initial breaches, including firewalls and intrusion detection systems, as well as phishing defences. Interlock, a ransomware group that has been attacking organizations worldwide lately, has used an unusual approach of creating an encryptor to attack FreeBSD servers as a means of stealing data. 

Generally, FreeBSD is considered to be one of the most reliable operating systems available, so it is commonly used for critical functions. For example, the web host, mail server and storage systems are all potential targets for attackers, all of which can pose a lucrative threat. According to Sotnikov, depending on their configuration, a server may or may not be directly connected to the Internet, depending on their function. 

The security team should invest in defence-in-depth so that a potential attack is disrupted as early as possible so that every subsequent step for the attacker will be more difficult, and so that potentially harmful activity can be identified as fast as possible with the help of monitoring tools. Considering that the adversary is likely to access the FreeBSD server from inside the network, it might be a good idea to minimize standing privileges by implementing the zero trust principle, which means that a user should only have access to the permissions needed to achieve their tasks, sotnikov suggested.
Read more »
TraderTraitor
Bitcoin Cyber Attacks CyberCrime Cybersecurity CyberThreat DMM FBI Ginco lazarus TraderTraitor

Bitcoin Heist in Japan Attributed to North Korean Cybercriminals

 


A joint alert from the FBI, the Department of Defense (D.O.D.) Cyber Crime Center and the National Police Agency of Japan reveal that a North Korean threat group carried out a significant cryptocurrency theft from Japan's crypto firm DMM in May 2024. The group, referred to as TraderTraitor—also known as Jade Sleet, UNC4899, and Slow Pisces — is believed to be linked to the Lazarus Group, a notorious hacking collective with ties to Pyongyang authorities.

The Lazarus Group, infamous for high-profile cyberattacks, gained notoriety for hacking Sony Pictures in retaliation for the 2009 film The Interview, which mocked North Korean leader Kim Jong Un. Their recent activities, however, focus on cryptocurrency theft, leveraging advanced social engineering techniques and malicious code.

Social Engineering and the Ginco Incident

In late March 2024, a TraderTraitor operative posing as a recruiter contacted an employee of Ginco, a Japanese cryptocurrency wallet software company, via LinkedIn. Disguised as part of a pre-employment process, the operative sent a malicious Python script under the guise of a coding test. The employee unknowingly uploaded the script to their GitHub account, granting the attackers access to session cookie information and Ginco’s wallet management system.

The attackers intercepted legitimate transaction requests from DMM employees by maintaining this access. This led to the theft of over 4,500 bitcoins, valued at $308 million. The funds were traced to accounts managed by the TraderTraitor group, which utilized mixing and bridging services to obfuscate the stolen assets.

North Korea's Financial Strategy and Cryptocurrency Exploitation

With international sanctions severely restricting North Korea's access to global financial systems, the regime increasingly relies on cybercrime and cryptocurrency theft for revenue generation. Due to their decentralized and pseudonymous nature, cryptocurrency presents a lucrative target for laundering stolen funds and bypassing traditional banking systems.

Chainalysis Findings

Blockchain intelligence firm Chainalysis attributed the DMM Bitcoin hack to North Korean actors. The attackers exploited weaknesses in the platform's infrastructure to perform unauthorized withdrawals. The stolen cryptocurrency was routed through multiple intermediary addresses and processed via the Bitcoin CoinJoin mixing service to conceal its origins. Portions of the funds were further transferred through various bridge services before being channelled to HuiOne Guarantee, a website linked to the Cambodian conglomerate HuiOne Group, a known facilitator of cybercrime.

Additional Findings by AhnLab Security Intelligence Center

The AhnLab Security Intelligence Center (ASEC) has reported another North Korean threat actor, Andariel — part of the Lazarus Group — deploying a backdoor known as SmallTiger. This tool has been used in campaigns parallel to those executed by TraderTraitor, highlighting the group's continued evolution in cybercrime tactics.

The coordinated alert from international agencies underscores the urgent need for enhanced cybersecurity measures within the cryptocurrency industry to counter sophisticated threats like those posed by the Lazarus Group and its affiliates.


Read more »
Vulnerabilities and Exploits
Botnet Cyberattacks CyberCrime Cybersecurity CyberThreat Cyberthreats DDOS Attacks IoT Vulnerabilities and Exploits

Understanding and Preventing Botnet Attacks: A Comprehensive Guide

 


Botnet attacks exploit a command-and-control model, enabling hackers to control infected devices, often referred to as "zombie bots," remotely. The strength of such an attack depends on the number of devices compromised by the hacker’s malware, making botnets a potent tool for large-scale cyberattacks.

Any device connected to the internet is at risk of becoming part of a botnet, especially if it lacks regular antivirus updates. According to CSO Online, botnets represent one of the most significant and rapidly growing cybersecurity threats. In the first half of 2022 alone, researchers detected 67 million botnet connections originating from over 600,000 unique IP addresses.

Botnet attacks typically involve compromising everyday devices like smartphones, smart thermostats, and webcams, giving attackers access to thousands of devices without the owners' knowledge. Once compromised, these devices can be used to launch spam campaigns, steal sensitive data, or execute Distributed Denial of Service (DDoS) attacks. The infamous Mirai botnet attack in October 2016 demonstrated the devastating potential of botnets, temporarily taking down major websites such as Twitter, CNN, Reddit, and Netflix by exploiting vulnerabilities in IoT devices.

The Lifecycle of a Botnet

Botnets are created through a structured process that typically involves five key steps:

  1. Infection: Malware spreads through phishing emails, infected downloads, or exploiting software vulnerabilities.
  2. Connection: Compromised devices connect to a command-and-control (C&C) server, allowing the botmaster to issue instructions.
  3. Assignment: Bots are tasked with specific activities like sending spam or launching DDoS attacks.
  4. Execution: Bots operate collectively to maximize the impact of their tasks.
  5. Reporting: Bots send updates back to the C&C server about their activities and outcomes.

These steps allow cybercriminals to exploit botnets for coordinated and anonymous attacks, making them a significant threat to individuals and organizations alike.

Signs of a Compromised Device

Recognizing a compromised device is crucial. Look out for the following warning signs:

  • Lagging or overheating when the device is not in use.
  • Unexpected spikes in internet usage.
  • Unfamiliar or abnormal software behavior.

If you suspect an infection, run a malware scan immediately and consider resetting the device to factory settings for a fresh start.

How to Protect Against Botnet Attacks

Safeguarding against botnets doesn’t require extensive technical expertise. Here are practical measures to enhance your cybersecurity:

Secure Your Home Network

  • Set strong, unique passwords and change default router settings after installation.
  • Enable WPA3 encryption and hide your network’s SSID.

Protect IoT Devices

  • Choose products from companies that offer regular security updates.
  • Disable unnecessary features like remote access and replace default passwords.

Account Security

  • Create strong passwords using a password manager to manage credentials securely.
  • Enable multi-factor authentication (MFA) for an added layer of security.

Stay Updated

  • Keep all software and firmware updated to patch vulnerabilities.
  • Enable automatic updates whenever possible.

Be Wary of Phishing

  • Verify communications directly with the source before providing sensitive information.
  • Avoid clicking on links or downloading attachments from untrusted sources.

Use Antivirus Software

  • Install reputable antivirus programs like Norton, McAfee, or free options like Avast.

Turn Off Devices When Not in Use

  • Disconnect smart devices like TVs, printers, and home assistants to minimize risks.

Organizations can mitigate botnet risks by deploying advanced endpoint protection, strengthening corporate cybersecurity systems, and staying vigilant against evolving threats. Implementing robust security measures ensures that businesses remain resilient against increasingly sophisticated botnet-driven cyberattacks.

Botnet attacks pose a serious threat to both individual and organizational cybersecurity. By adopting proactive and practical measures, users can significantly reduce the risk of becoming victims and contribute to a safer digital environment.

Read more »
Privacy
Camera Security Breach. Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Theft Privacy

Thousands of Users Exposed by Flawed Camera Streaming App

 


A Cybernews research team discovered a huge exposed data server on June 25th. The server contained 3GB of personal information and telemetry from iPhones equipped with an app known as "Home V." According to the log samples, the data is related to the Home V app, which is used to manage Virtavo security cameras. Elasticsearch, a data analytics and search engine, was exposed by an unsecured server that provided logs containing phone numbers, device identifiers, IP addresses, and firmware versions, among other details about the devices, the network, and the users. 

It has been suspected that these logs were diagnostic reports, which were updated in real-time and appear to have been used for performance monitoring or troubleshooting. As a result of the server's malfunction, more than 8.7 million records were left on the server. Several snapshots were duplicates and for some unique identifiers, there was an appearance of up to 50 snapshots at the same time. In a study, researchers estimated that over 100,000 unique users could be affected, while cybersecurity researchers were able to find an exposed data server that contained 3GB of personal information and was capable of receiving telemetry from iOS devices. 

During the summer of 2023, all the information in the world had one thing in common: it was generated by an app called Home V, which managed Virtavo security cameras. These cameras were capable of streaming videos, playing back videos, communicating with each other, receiving motion alerts, etc. However, indoor surveillance cameras are vulnerable to hacking techniques, which can pose significant security risks due to their vulnerability. Many wireless cameras are pre-configured with usernames such as "admin" and passwords which are easily guessable, such as "admin," "888888," or "123456", which is a common vulnerability. 

When cyber attackers try to gain unauthorized access to online cameras by scanning their cameras and attempting to use these standard login details, they exploit these weak credentials. This can be addressed by implementing a password manager, which will generate and store strong, unique passwords to prevent these attacks. Password security is a significant concern for many people, especially when transmitting unencrypted data. 

Even though users can update a camera's password, some devices still transmit this information unencrypted over the internet. Consequently, they may be able to be intercepted by attackers and then used to access the camera if they have the stolen information. It is also possible that the Wi-Fi password is transmitted unencrypted in some cases, further undermining your network's security. In particular, one of the most severe threats is the possibility of a full camera takeover, in which attackers gain access to the device at the root level. 

ith this level of access, attackers can fully control the camera. As a result of such an attack, the surveillance camera can be turned into a tool for further malicious activities if it is tampered with, its settings are altered, and it can even be installed with malware. To minimize these risks, users must make sure that they take steps to ensure that their security systems are protected by strong passwords, encrypting their data and staying abreast of potential vulnerabilities. 

The exposed logs contained a wide range of critical information regarding the user and the device, raising concerns about data security and privacy. Among other things, the information also contained information regarding the device and software, such as the version of the app, the device model (e.g., iPhone12,5, which corresponds to the iPhone 11 Pro Max), the operating system, the firmware version, as well as details regarding video decoding, including the use of video decoding software such as "VideoTool Box" to decode H.264 files. 

 As part of the project, information related to the user’s network was collected, including their country code (e.g., CN for China), their IP address which identified the server's physical location, their connection type, such as “cellular,” and information about the network operator and settings. It was also revealed that the data contained unique user identifiers, such as user accounts linked to phone numbers or email addresses, as well as unique user identifiers (User IDs and UUIDs), and numeric device identifiers, which were all part of the exposed data. 

It is also possible to measure performance metrics, such as how fast the video frame is decoded at the beginning of the video stream, which reflects video playback speed, as well as how strong the WiFi signal is, even if the connection type is cellular. The log entries were also accompanied by timestamps which indicated when they were created, server codes that could identify servers that handled the requests (e.g., "sh" might indicate Shanghai for example), and the time zone offset of the device or server. 

As a result of the comprehensive nature of this data, it becomes increasingly evident that users are exposed to a large amount of sensitive information, and robust security measures are essential to protect it. In general, various data protection laws require businesses to limit data collection through data minimization and purpose limitation – in other words, they must collect only the amount of data necessary to achieve a specific objective. 

Additionally, organizations are required to obtain express consent from individuals and to provide transparency on how the data is utilized, otherwise, the exposure of user information could result in non-compliance and legal penalties. It appears the application collects a considerable amount of information beyond what is actually required to perform the application's basic functions, raising questions about whether data minimization is following data protection laws," the researchers wrote in their report.
Read more »
Cybersecurity
Crypto Hacks cryptocurrency Cryptocurrency Breach Cyber Fraud CyberCrime Cyberhackers Cybersecurity

Global Crypto Hacks Escalate to $2.2 Billion in 2024

 


Chainalysis, a blockchain analytics company that provides data analysis on the blockchain ecosystem, has reported that the volume of compromised crypto funds and the number of hacking incidents are set to rise in 2024. The report states that the total amount of stolen crypto funds rose by approximately 21.07% year-over-year (YoY), reaching $2.2 billion over the period. It also reports that the number of individual cyber-attacks increased from 282 in 2023 to 303 incidents in 2024, an increase of 34 per cent. 

During its report this year, Chainalysis noted that hackers also increasingly target centralized services such as cryptocurrency exchanges. In addition to Bitcoin's 140% increase in value this year surpassing $100,000, the rise in crypto heists also coincides with the institutional support of U.S. President-elect Donald Trump. There have been 303 hacking incidents so far in 2023, compared to 282 in 2023 and 1.8 billion dollars, but that’s only about Rs. 15,302 crores, which means hackers stole 1.8 billion dollars (roughly Rs. 15,302 crores) in 2023, according to the report. 

There has been an increase in crypto heists as the value of Bitcoin reached $100,000 (roughly Rs. 85 lakh) this year, and it has drawn institutional support and backing from US President-elect Donald Trump, who has become one of the biggest supporters of the digital currency. It is noted that DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, but centralized services were more likely to be hacked during the second and third quarters. 

According to Chainalysis' report, several notable hacks of centralized services occurred, such as the hack of DMM Bitcoin in May 2024, which cost $305 million, and WazirX in July 2024, which cost $234.9 million. The WazirX hack in July of this year resulted in huge losses for the Indian cryptocurrency exchange, which has responded by stopping users from withdrawing their remaining cryptocurrency and is currently requesting a reorganization in Singapore. 

In addition, the Chainalysis report noted that North Korean hackers continue to try to steal cryptocurrency, particularly to avoid sanctions, as well as that the North Korean hackers are continuing to conduct cyber-attacks. As the industry faces an increasingly challenging environment in the new year, the industry has a lot of work to do to fight the proliferation of such crimes, especially fraud, that will undoubtedly pose a key challenge. 

Several reports concluded that the majority of the stolen crypto this year resulted from compromised private keys that control access to users' assets. A majority of the attacks targeted centralized platforms. There were several notable hacks during the past year. The most significant ones were the theft of $305 million from Japan's DMM Bitcoin in May, and the loss of $235 million from India's WazirX in July. According to Chainalysis, North Korea-related crypto hacking increased by more than double from a year ago to 1.3 billion dollars in 2024, which is a record.
Read more »
Technology
Cyberattacks CyberCrime Cyberhackers Cybersecurity Google Google Docs Microsoft Word Proton Docs Technology

Proton Docs vs Google Docs in the Productivity Space

 


For those who are concerned about privacy, Proton has announced an end-to-end encrypted document editor intended to be a viable alternative to Microsoft Word and Google Docs. This application, released on Wednesday by the Swiss software vendor best known for its encrypted email app, provides office workers with many document creation features they might use in their daily work.

Swiss-based and privacy-conscious Proton is now focusing on cloud-based document editing as it has built up its email, VPN, cloud storage, password manager, and cloud storage offerings. Proton Docs, a newly launched service that offers an array of features and privacy protections, might be just what users need to make it work for them.

With regards to its user interface and user experience, Proton Docs draws inspiration from Google Docs while also introducing its distinctive twists. In addition to its clean, minimalist design, Proton Docs has a central focus on the document, and users can find familiar functions with icons at the top representing the common formatting options (such as bold, italics, headings, and lists).

However, the top of the screen does not have a dedicated menu bar, and all options can be found in the default toolbar. Proton Docs keeps a very similar layout to Google Docs and, therefore, if someone is transitioning from Google Docs to Proton Docs, they should not have any problems getting started with their drafts right away. The work that was done by Proton was excellent.

A lot of the basic features of Proton Docs are similar to those of Google Docs, and the first thing users will notice is that the application looks very much like Google Docs: white pages with a formatting toolbar up top, and a cursor at the top that displays who is in the document as well as a cursor to clear the document at the top. The fact is that this isn’t particularly surprising for a couple of reasons.

First of all, Google Docs is extremely popular, and the options for styling a document editor are not that many. In other words, Proton Docs has been created in large part to offer all the benefits of Google Docs, just without Google. Docs are launching inside Proton Drive today, and as part of the privacy-focused suite of work tools offered by Proton, it will be the latest addition.

It has become clear that Proton has expanded its offering from email to include a calendar, a file storage system, a password manager, and more since it began as an email client. Adding Docs to the company's ecosystem seems like a wise move since it aims to compete against Microsoft Office and Google Workspace, and it was coming soon after Proton acquired Standard Notes in April.

According to Proton PR manager Will Moore, Notes would not disappear — Docs is borrowing some of its features instead. Proton Docs is a full-featured, end-to-end encrypted word processor with the ability to store files and even its users' keys (keystrokes and cursor movements) end-to-end encrypted, so that no one, including Proton staff, will be able to access any of the users' files (not even the users). This makes it much more difficult for hackers and data breaches to access the files, thereby making them more secure. There has been a lack of improvement in this area in Proton Docs.

However, even though it is part of the growing portfolio of the company, it does not fully integrate with its existing platform. There is no ability to access calendars and contacts from the sidebar like Google Docs, and it does not have the same functionality as Google Pages. Additionally, there is no easy way for users to import existing documents, files, or media from a Proton Drive account directly into the application.

In contrast, Google Docs provides the convenience of typing an "@" followed by the name of a file from users' Google Drive account and inserting the document from there as soon as they click the hyperlink. A feature such as this is particularly useful when a document needs to include multiple files in addition to the document itself. A second advantage of Proton Docs is the use of Swiss cloud servers, which provide storage of users' data on Proton Docs' servers in Switzerland.

It is thanks to the strict Swiss laws that protect the information stored on these servers that they cannot be accessed by regulatory authorities in regions like the European Union and the United States. A new feature known as Proton Docs is scheduled to be rolled out to Proton Drive customers starting today, with the ability to access the feature expected to be available to everyone within the next few days, as per Proton.

Powered by the Proton Drive platform, Proton Drive operates on a freemium model with individual subscriptions to the platform costing as little as €10 per month (approximately $10.80 when billed annually). The monthly subscription fee for Proton for Business is €7 per user per month and can be purchased in any amount.

Read more »
SEV
Advantech vulnerabilities Cyber Privacy Cyber Technology Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Breach Data protection nAMD System SEV

AMD Systems Vulnerability Could Threaten Encrypted Data Protection

 


There has been an announcement of a new technique for bypassing key security protections used in AMD chips to gain access to the clients of those services. Researchers believe that hackers will be able to spy on clients through physical access to cloud computing environments. Known as the "badRAM" security flaw, it has been described as a $10 hack that undermines the trust that the cloud has in it. 

This vulnerability was announced on Tuesday. Like other branded vulnerabilities, this vulnerability is being disclosed on a website with a logo and will be explained in a paper to be presented at next May's IEEE Symposium on Security and Privacy 2025. 

There is an increasing use of encryption in today's computers to protect sensitive data in their DRAM, especially in shared cloud environments with multiple data breaches and insider threats, which are commonplace. The Secure Encrypted Virtualization (SEV) technology of AMD enables users to protect privacy and trust in cloud computing by encrypting the memory of virtual machines (VMs) and isolating them from advanced attackers, including those who compromise critical infrastructure like the virtual machine manager and firmware, which is a cutting-edge technology. 

According to researchers, AMD's Secure Encrypted Virtualization (SEV) program, which protects processor memory from prying eyes in virtual machine (VM) environments, is capable of being tricked into letting someone access the contents of its encrypted memory using a test rig which costs less than $10 and does not require additional hardware. It is important to note that AMD is among the first companies to leverage the capabilities of chipset architecture to improve processor performance, efficiency, and flexibility. 

It has been instrumental in extending and building upon Moore's Law performance gains and extending them further. As a result of the firm's research, performance gains under Moore's Law have been extended and built upon, and the company announced in 2018 that the first processor would have a chipset-based x86 CPU design that was available. Researchers at the University of Lübeck, KU Leven, and the University of Birmingham have proposed a conceptually easy and cheap attack called “BadRAM”. 

It consists of a rogue memory module used to trick the CPU into believing that it has more memory than it does. Using this rogue memory module, you get it to write its supposedly secret memory contents into a "ghost" space that is supposed to contain the hidden memory contents. In order to accomplish this task, researchers used a test rig anyone could afford to buy, composed of a Raspberry Pi Pico, which costs a couple of dollars, and a DIMM socket for DDR4/5 RAM modules. 

The first thing they did was manipulate the serial presence detection (SPD) chip within the memory module so that it would misreport the amount of memory onboard when the device was booted up – the “BadRAM” attack. Using reverse engineering techniques to locate these memory aliases, they had access to memory contents by bypassing the system's trusted execution environment (TEE), as this created two physical addresses referencing the same DRAM location. 

According to the CVE description, the issue results from improper input validation of DIM SPD metadata, which could potentially allow an attacker with certain access levels to overwrite guest memory, as the issue is described as a result of improper input validation. It has been deemed a medium severity threat on the CVSS, receiving a 5.3 rating owing to the high level of access that a potential attacker would need to engage to successfully exploit the problem. 

According to AMD, the issue may be a memory implementation issue rather than a product vulnerability, and the barriers to committing the attack are a lot higher than they would be if it were a software product vulnerability. AMD was informed of the vulnerability by the researchers in February, which has been dubbed CVE-2024-21944, as well as relates specifically to the company’s third and fourth-generation EPYC enterprise processors. According to AMD’s advisory, the recommendation is to use memory modules that lock SPD and to follow physical security best practices. 

A firmware update has also been issued, although each OEM's BIOS is different, according to AMD. As the company has stated on several occasions, it will make mitigations more prominent in the system; there is specific information on the condition of a Host OS/Hypervisor, and there is also information available on the condition of a Virtual Machine (Guest) to indicate that mitigation has been applied.

The AMD company has provided an in-depth explanation of the types of access an attacker would need to exploit this issue in a statement given to ITPro, advising clients to follow some mitigation strategies to prevent the problem from becoming a problem. The badRAM website states that this kind of tampering may occur in several ways — either through corrupt or hostile employees at cloud providers or by law enforcement officers with physical access to the computer. 

In addition, the badRAM bug may also be exploited remotely, although the AMD memory modules are not included in this process. All manufacturers, however, that fail to lock the SPD chip in their memory modules, will be at risk of being able to modify their modules after boot as a result of operating system software, and thus by remote hackers who can control them remotely. 

According to Recorded Future News, Oswald has said that there has been no evidence of this vulnerability being exploited in the wild. However, the team discovered that Intel chips already had mitigations against badRAM attacks. They could not test Arm's modules because they were unavailable commercially. An international consortium of experts led by researchers from KU Leuven in Belgium; the University of Luebeck in Germany; and the University of Birmingham in the United Kingdom conducted the research.
Read more »
WInnti Hackers
Chinese Cyber Threat Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat Glutton PHP Backdoors WInnti Hackers

Rising Tactics of Winnti Hackers Include Deploying Glutton PHP Backdoors

 


In the past few months, researchers at a Chinese cybersecurity firm have been responsible for the discovery of an advanced PHP backdoor that supports Winnti, a group linked to Chinese cybercrime that is launching increasingly sophisticated attacks. Research has been conducted into the use of a PHP-based backdoor called Glutton, which has been used by cyber criminals to target China, Japan, the Republic of Korea, Cambodia, Pakistan, and South Africa through cyber attacks. 

As early as late April 2024, the Chinese nation-state group set up by Winnti (aka APT41), which has roots in North Korea, discovered malicious activity in a network from the Chinese nation-state group Chongqing Henchmen. The company also disclosed that its investigation revealed that Glutton's creators deliberately targeted systems within the cybercrime market with their tools to create malware. They poisoned operations intending to turn cybercriminals' tools against them, similar to the classic scenario from the movie.

The Winnti hacking group, sometimes referred to as APT41 is a notorious state-sponsored group known for conducting cyber espionage and financial fraud campaigns on behalf of the Chinese government. When the group appeared on the scene in 2012, it focused mostly on organizations involved in gaming, pharmaceuticals, and telecommunications, though it also attacked political organizations and government agencies. A modular backdoor made up of ELF modules, Glotto provides flexibility to craft tailored attacks to meet the attacker's specific needs. Several key components make up this malware: task_loader, which assesses the environment; init_task, which installs the backdoor; client_loader, which obfuscates the application; and client_task, which manages PHP backdoor operations and communicates with the command-and-control (C2) server. 

Through fileless execution, the malware runs entirely within PHP or PHP-FPM processes and injects malicious code into PHP files within popular frameworks such as ThinkPHP, Yii, Laravel, and Dedecms, thereby achieving stealth. Glutton maintains persistence in the system by modifying system files including those in the init[.]d network section and those in the Baota panel, allowing it to steal credentials and maintain a foothold on the system. 

By using a modular approach to code, Glutton can function without leaving traditional digital footprints behind, because all code execution is carried out within PHP, and there is a feature called PHP-FPM (FastCGI) that is used to optimize PHP process handling on web servers, which ensures that no files are left behind and that the backdoor remains undetected until it is discovered.  There are several PHP frameworks that Glutton can exploit to extract data or inject malicious code into widely used PHP frameworks, including Baota, ThinkPHP, Yii, and Laravel, when deployed with Glutton. 

It was in December 2023, when researchers traced the unusual activity to an IP address that was distributing a backdoor which targeted Unix-like operating systems, also commonly known as ELF-based malware, that researchers first discovered that Glutton was a backdoor. Further research revealed that the ELF-based malware also contained a malicious PHP file. Researchers uncovered a network of malicious PHP payloads connected to a network of malicious PHP payloads, revealing a complex attack infrastructure.

Researchers have indicated that the malware has a connection with Winnti’s historical activities, but they point out that there are several shortcomings when it comes to stealth and execution, which are uncharacteristically underwhelming for an APT group. Even though Winnti's behaviour normally does not include plaintext PHP samples and simplistic C2 communication protocols, the researchers believe that Winnti is the one responsible for the malware with some degree of confidence. The researchers also pointed out that Winnti "deliberately targeted systems within the cybercrime market" to spread the malware to as many targets as possible.

According to XLab researchers, Winnti "deliberately targeted systems within the cybercrime market" to help spread its virus as far as possible, but that was not the case.  Recent research has consistently shown that threat actors piggyback on each other’s infrastructure to exploit their vulnerabilities. In a report published by Microsoft, it was found that Turla, an APT group linked to the Russian government, has been running its operations using infrastructure previously set up by other APT groups or cybercriminals. 

In addition to being a fully functional backdoor, the PHP backdoor is also able to execute 22 unique commands, including switching C2 connections to UDP from TCP, launching a shell, downloading and uploading files, performing file and directory operations, and running arbitrary PHP code. Additionally, this framework provides the ability to periodically poll the C2 server for more PHP payloads, allowing for the retrieval and execution of more PHP payloads. According to XLab, these payloads are highly modular, capable of being executed independently by the payload module or sequentially by the task_loader module, providing a comprehensive framework to execute attacks, independently. 

There is no file payload left behind, ensuring no files or data are left behind after code execution, which ensures a completely stealthy footprint since all the code is executed within PHP or PHP-FPM (FastCGI) processes. In addition to this, HackBrowserData is also being used by cybercrime operators to steal sensitive information to inform future phishing or social engineering campaigns in the future. This tool can be used on any system used by a cybercriminal to steal sensitive information.
Read more »
TOUXtract Exploits
AI Models Cyber Researchers Cyberattacks CyberCrime Cyberhackers Cyberthreats Technology TOUXtract Exploits

AI Models at Risk from TPUXtract Exploit

 


A team of researchers has demonstrated that it is possible to steal an artificial intelligence (AI) model without actually gaining access to the device that is running the model. The uniqueness of the technique lies in the fact that it works efficiently even if the thief may not have any prior knowledge as to how the AI works in the first place, or how the computer is structured. 

According to North Carolina State University's Department of Electrical and Computer Engineering, the method is known as TPUXtract, and it is a product of their department. With the help of a team of four scientists, who used high-end equipment and a technique known as "online template-building", they were able to deduce the hyperparameters of a convolutional neural network (CNN) running on Google Edge Tensor Processing Unit (TPU), which is the settings that define its structure and behaviour, with a 99.91% accuracy rate. 

The TPUXtract is an advanced side-channel attack technique devised by researchers at the North Carolina State University, designed to protect servers from attacks. A convolutional neural network (CNN) running on a Google Edge Tensor Processing Unit (TPU) is targeted in the attack, and electromagnetic signals are exploited to extract hyperparameters and configurations of the model without the need for previous knowledge of its architecture and software. 

A significant risk to the security of AI models and the integrity of intellectual property is posed by these types of attacks, which manifest themselves across three distinct phases, each of which is based on advanced methods to compromise the AI models' integrity. Attackers in the Profiling Phase observe and capture side-channel emissions produced by the target TPU as it processes known input data as part of the Profiling Phase. As a result, they have been able to decode unique patterns which correspond to specific operations such as convolutional layers and activation functions by using advanced methods like Differential Power Analysis (DPA) and Cache Timing Analysis. 

The Reconstruction Phase begins with the extraction and analysis of these patterns, and they are meticulously matched to known processing behaviours This enables adversaries to make an inference about the architecture of the AI model, including the layers that have been configured, the connections made, and the parameters that are relevant such as weight and bias. Through a series of repeated simulations and output comparisons, they can refine their understanding of the model in a way that enables precise reconstruction of the original model. 

Finally, the Validation Phase ensures that the replicated model is accurate. During the testing process, it is subject to rigorous testing with fresh inputs to ensure that it performs similarly to that of the original, thus providing reliable proof of its success. The threat that TPUXtract poses to intellectual property (IP) is composed of the fact that it enables attackers to steal and duplicate artificial intelligence models, bypassing the significant resources that are needed to develop them.

The competition could recreate and mimic models such as ChatGPT without having to invest in costly infrastructure or train their employees. In addition to IP theft, TPUXtract exposed cybersecurity risks by revealing an AI model's structure that provided visibility into its development and capabilities. This information could be used to identify vulnerabilities and enable cyberattacks, as well as expose sensitive data from a variety of industries, including healthcare and automotive.

Further, the attack requires specific equipment, such as a Riscure Electromagnetic Probe Station, high-sensitivity probes, and Picoscope oscilloscope, so only well-funded groups, for example, corporate competitors or state-sponsored actors, can execute it. As a result of the technical and financial requirements for the attack, it can only be executed by well-funded groups. With the understanding that any electronic device will emit electromagnetic radiation as a byproduct of its operations, the nature and composition of that radiation will be affected by what the device does. 

To conduct their experiments, the researchers placed an EM probe on top of the TPU after removing any obstructions such as cooling fans and centring it over the part of the chip emitting the strongest electromagnetic signals. The machine then emitted signals as a result of input data, and the signals were recorded. The researchers used the Google Edge TPU for this demonstration because it is a commercially available chip that is widely used to run AI models on edge devices meaning devices utilized by end users in the field, as opposed to AI systems that are used for database applications. During the demonstration, electromagnetic signals were monitored as a part of the technique used to conduct the demonstration.

A TPU chip was placed on top of a probe that was used by researchers to determine the structure and layer details of an AI model by recording changes in the electromagnetic field of the TPU during AI processing. The probe provided real-time data about changes in the electromagnetic field of the TPU during AI processing. To verify the model's electromagnetic signature, the researchers compared it to other signatures made by AI models made on a similar device - in this case, another Google Edge TPU. Using this technique, Kurian says, AI models can be stolen from a variety of different devices, including smartphones, tablets and computers. 

The attacker should be able to use this technique as long as they know the device from which they want to steal, have access to it while it is running an AI model, and have access to another device with similar specifications According to Kurian, the electromagnetic data from the sensor is essentially a ‘signature’ of the way AI processes information. There is a lot of work that goes into pulling off TPUXtract. The process not only requires a great deal of technical expertise, but it also requires a great deal of expensive and niche equipment as well. To scan the chip's surface, NCSU researchers used a Riscure EM probe station equipped with a motorized XYZ table, and a high-sensitivity electromagnetic probe to capture the weak signals emanating from it. 

It is said that the traces were recorded using a Picoscope 6000E oscilloscope, and Riscure's icWaves FPGA device aligned them in real-time, and the icWaves transceiver translated and filtered out the irrelevant signals using bandpass filters and AM/FM demodulation, respectively. While this may seem difficult and costly for a hacker to do on their own, Kurian explains, "It is possible for a rival company to do this within a couple of days, regardless of how difficult and expensive it will be. 

Taking the threat of TPUXtract into account, this model poses a formidable challenge to AI model security, highlighting the importance of proactive measures. As an organization, it is crucial to understand how such attacks work, implement robust defences, and ensure that they can safeguard their intellectual property while maintaining trust in their artificial intelligence systems. The AI and cybersecurity communities must learn continuously and collaborate to stay ahead of the changing threats as they arise.
Read more »
Subscribe to: Posts (Atom)