Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CyberThreat. Show all posts
Youtube
Amazon Audible ClearFake Cyber Security CyberCrime Cyberhackers CyberThreat Google Youtube

Amazon and Audible Face Scrutiny Amid Questionable Content Surge

 


The Amazon online book and podcast services, Amazon Music, and Audible have been inundated by bogus listings that attempt to trick customers into clicking on dubious "forex trading" sites, Telegram channels, and suspicious links claiming to offer pirated software for sale. It is becoming increasingly common to abuse Spotify playlists and podcasts to promote pirated software, cheat codes for video games, spam links, and "warez" websites. 

To spam Spotify web player results into search engines such as Google, threat actors can inject targeted keywords and links in the description and title of playlists and podcasts to boost SEO for their dubious online properties. In these listings, there are playlist names, podcast description titles, and bogus "episodes," which encourage listeners to visit external links that link to places that might cause a security breach. 

A significant number of threat actors exploit Google's Looker Studio (formerly Google Data Studio) to boost the search engine ranking of their illicit websites that promote spam, torrents, and pirated content by manipulating search engine rankings. According to BleepingComputer, one of the methods used in the SEO poisoning attack is Google's datastudio.google.com subdomain, which appears to lend credibility to the malicious website. 

Aside from mass email spam campaigns, spammers are also using Audible podcasts as another means to spread the word about their illicit activities. Spam can be sent to any digital platform that is open to the public, and no digital platform is immune to that. In cases such as those involving Spotify or Amazon, there is an interesting aspect that is, one would instinctively assume that the overhead associated with podcasting and digital music distribution would deter spammers, who would otherwise have to turn to low-hanging fruit, like writing spammy posts to social media or uploading videos that have inaccurate descriptions on YouTube. 

The most recent instance of this was a Spotify playlist entitled "Sony Vegas Pro 13 Crack...", which seemed to drive traffic to several "free" software sites listed in the title and description of the playlist. Karol Paciorek, a cybersecurity enthusiast who spotted the playlist, said, "Cybercriminals exploit Spotify for malware distribution because Spotify has become a prominent tool for distributing malware. Why? Because Spotify's tracks and pages are easily indexed by search engines, making it a popular location for creating malicious links.". 

The newest business intelligence tool from Google, Looker Studio (formerly, Google Data Studio) is a web-based tool that allows users to make use of data to create customizable reports and dashboards allowing them to visualize and analyze their data. A Data Studio application can, and has been used in the past, to track and visualize the download counts of open source packages over some time, such as four weeks, for a given period. There are many legitimate business cases for Looker Studio, but like any other web service, it may be misused by malicious actors looking to host questionable content on illegal domains or manipulate search engine results for illicit URLs. 

Recent SEO poisoning campaigns have been seen targeting keywords related to the U.S. midterm election, as well as pushing malicious Zoom, TeamViewer, and Visual Studio installers to targeted sites.  In advance of this article's publication, BleepingComputer has reached out to Google to better understand the strategy Google plans to implement in the future.

Firstory is a new service launched in 2019 that enables podcasters to distribute their shows across the globe, and even connect with audiences, thereby empowering them to enjoy their voice! Firstory is open to publishing podcasts on Spotify, but it acknowledges that spam is an ongoing issue that it is increasingly trying to address, as it focuses on curtailing it as much as possible. 

Spam accounts and misleading content remain persistent challenges for digital platforms, according to Stanley Yu, co-founder of Firstory, in a statement provided to BleepingComputer. Yu emphasized that addressing these issues is an ongoing priority for the company. To tackle the growing threat of unauthorized and spammy content, Firstory has implemented a multifaceted approach. This includes active collaboration with major streaming platforms to detect and remove infringing material swiftly. 

The company has also developed and employed advanced technologies to scan podcast titles and show notes for specific keywords associated with spam, ensuring early identification and mitigation of potential violations. Furthermore, Firstory proactively monitors and blocks suspicious email addresses commonly used by malicious actors to infiltrate and disrupt digital ecosystems. By integrating technology-driven solutions with strategic partnerships, Firstory aims to set a higher standard for content integrity across platforms. 

The company’s commitment reflects a broader industry imperative to protect users and maintain trust in an ever-expanding digital landscape. As digital platforms evolve, sustained vigilance and innovation will be essential to counter emerging threats and foster a safer, more reliable online environment.
Read more »
Privacy
Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat Data Leak Microsoft Power Pages Misconfiguration Privacy

Data Leak Reported Due to Power Pages Misconfiguration


 

The Power Pages platform from Microsoft offers users an easy-to-use, low-code platform that enables them to build data-driven websites with only a little bit of programming knowledge or experience. In both the public and private sectors, companies large and small rely on this tool to facilitate the collection and analysis of data that can assist them with all manner of problems that may arise from customers or citizens seeking information to solve a problem. 

There may be other issues regarding these web pages, such as the possibility of leaks of sensitive information for their respective organizations as well if the settings for these web pages are not set up properly.  According to cybersecurity researchers, a new vulnerability has been discovered in Microsoft Power Pages that stems from misconfigured access controls within websites built with this platform that can expose sensitive data. 

If the vulnerability resulted in millions of sensitive business records being exposed to unauthorized users, this could pose a serious security risk for affected organizations as a result. It is an application service platform, that is based on the Power Platform, and offers developers a low-code platform that can be used to build externally facing websites on top of Microsoft's infrastructure without a lot of coding. 

To guarantee a layer of access control, the Power Pages system uses a layered approach when it comes to writing a custom website. A site's permissions can be configured from a table level, a column level, or a column-level. Despite these risks, misconfigurations of these settings can unintentionally expose sensitive data to the public internet when businesses misconfigure these settings.  Organizers can expose more columns to the Web API than are necessary, thereby increasing the potential attack surface of their applications. 

According to Aaron Costello, AppOmni's chief of SaaS security research, Power Pages users have to pay more attention to the software's security settings to ensure their information is protected, especially given the product's popularity. It was announced earlier this year that websites that are created using Power Pages have over 250 million users every month, according to a statement from Microsoft.  Several AppOmni and Microsoft 365 customers are now using AppOmni Insights to assist with the detection of these kinds of exposures and to provide subsequent remediation guidance if such exposures are found. 

For a detailed understanding of how these kinds of vulnerabilities can arise, it is worthwhile to first understand the platform's RBAC model and how Power Pages are constructed. In contrast to traditional custom web development, Power Pages has the following main advantages: out-of-the-box (OOB) role-based access control (RBAC), the option of using Microsoft's Dataverse as the database automatically and the ease of a drag-and-drop interface, which is made possible by prebuilt components, which greatly reduces the need for custom code in the design of the web site. 

Affording too many permissions to roles like "Anonymous Users" (non-authenticated visitors) and "Authenticated Users" (authenticated visitors) may expose an organization to potential data leaks, which may not have been anticipated. It is worth noting that Microsoft's customers have the option of easily deploying these data-driven web applications. However, if these applications are mismanaged from a security perspective, they may have a heavy cost to pay for their security. This data is primarily made up of internal organization files as well as sensitive personal information regarding both users from inside the organization and those who register on the website and are registered to either organization. 


PII was recovered from most of these cases and consisted of full names, email addresses, phone numbers, and addresses for the home, in the majority of cases.  The information of over 1.1 million NHS employees was leaked by a large shared business service provider to the NHS, with many parts of the data including email addresses, telephone numbers, and even the addresses of the employees' homes, and this was being done without the employee's knowledge. 

In this particular case, the findings were fully disclosed responsibly and have been resolved since then. A lack of understanding of the access controls in Power Pages, as well as insecure custom code implementations are the main reasons for these data leaks. With excessive permissions given to unauthenticated users, any user may be able to extract records from the database if they have access to the readily available Power Page APIs available on the web. 

A Power Pages site also allows users to generate accounts and become authenticated with the help of APIs once they have registered. Users from outside of the company can also be granted global access for reading operations on the system. Researchers identified that the absence of column-level security in Microsoft Power Pages could enable unauthorized individuals to access sensitive data without restrictions. Additionally, it was noted that users often fail to replace sensitive information with masked strings, further exacerbating security vulnerabilities. 

In response, Microsoft has implemented multiple safeguards within the backend of Power Pages and Power Platform Apps. These measures include warning banners across all Power Platform admin console pages, as well as prominent alerts and warning icons on the table permissions configuration page of Power Pages. These updates aim to help administrators identify and address potentially risky configurations. This incident underscores the importance of proactive security practices in safeguarding sensitive data. Organizations utilizing Power Pages are encouraged to review and strengthen their configurations to mitigate risks and enhance overall security.
Read more »
CyberThreat
Black Friday Consumer Protection Cyber Security CyberCrime Cyberhackers CyberThreat

Consumer Protection in Focus Amid Black Friday in South Africa

 


November 29 is the date when Black Friday offers will be available, marking the beginning of the Christmas shopping season for many consumers. There is a lot of speculation that scammers will increase their game in the coming days, which gives it even more reason to be aware of the signs of threatening phoney texts. As the critical Black Friday and festive season periods approach, the retail industry in South Africa is showing signs of resilience, according to the latest State of the Retail Nation report produced by NIQ South Africa. 

The report examines the industry's expectations over the upcoming period. A recent warning from Standard Bank alerted South Africans to the fact that scams are on the rise as Black Friday approaches, with criminals increasingly using persuasive tactics to attract people's attention.  Even though there have been no studies on how Black Friday will affect the local economy, it appears to have the potential to generate R88 billion of economic activity in South Africa in 2024.  

Based on Capital Connect's findings, South Africa's wholesale, retail, and fuel sectors will contribute a total of R88 billion in additional economic value to the economy in November 2024. The Bureau of Market Research has conducted a study that shows that the Black Friday sales in South Africa will spur R22 billion in increased direct sales this year, with a further R28 billion in indirect economic impact on the country. 

There is expected to be an additional economic value of over R88 billion for the South African economy due to the growing interest of customers in Black Friday sales taking place in November 2024 in this country's wholesale, retail, and fuel sectors. Based on the results of a research report published by the Bureau of Market Research on behalf of fintech Capital Connect. 

During the holiday shopping season this year, retailers in South Africa will likely produce R22 billion in additional direct revenue as a result of Black Friday, and R28 billion in indirect economic impacts as a result of it. Further, the wholesale industry is expected to gain additional sales of R32.1 billion, while fuel sales are expected to increase by R6.2 billion as well.  

As a result of the study, consumers seem to be more interested in Black Friday in 2024 than in the previous three years (2021-2023). The result of this is expected to push retail sales in November 2024 to a value of approximately R136 billion, up 17.3% when calculated in nominal terms from the R116.1 billion of retail sales recorded in November 2023. 

After a long period of economic stagnation and retail stagnation, the positive outlook for Black Friday 2024 suggests that the tide is turning for South African retailers after a long period of economic stagnation and retail stagnation," said Steven Heilbron, CEO of Capital Connect, which is part of Lesaka Technologies, a Nasdaq- and JSE-listed company.  Several factors have contributed to a better economic outlook, including a marked reduction in load-shedding, the introduction of the Two-Pot Retirement System, a reduction in interest rates, and a decrease in inflation. 

There is a rising trend in consumer confidence that will give an advantage to innovative retailers with the right product mix and promotions."  In this year's challenging retail climate, Black Friday sales will provide a welcome boost to retailers who have struggled to operate. The formal retail sector, on the other hand, is predicted to show real growth of only 1.4% in 2024 with an increase of just 0.6%. In a study conducted by Standard Bank, it was revealed that scams are widespread in Gauteng, where 38% of cases were reported. KwaZulu-Natal had 18%, while the Western Cape had 15%.  

In his statement, Rathogwa noted that the bank has begun noticing some concerning trends around Black Friday, including an increase in the amount of social media fraud, which has been particularly persuasive.  It is still a significant threat that deceptive emails are sent by fraudsters purporting to be emails from legitimate companies, such as retailers, streaming services, and banks, to mislead users.  Several emails contain links to fake websites that are designed to collect sensitive information, such as login details and passwords.  

The scammers also make use of luring strategies to entice the recipient into clicking on links that they believe are malicious, as well as offering rewards to the first few buyers. As well as this particular tactic, more and more fraudsters are also using social media accounts to promote offers that are heavily discounted, and sometimes even free. This type of scam is increasingly common.  A scam artist creates a page on Facebook, builds a fan base, and posts false reviews trying to entice the public to buy.

Upon engaging an interested buyer, the conversation switches to WhatsApp to discuss details about the buyer's bank account, courier service, and so on.  Upon making the payment and providing proof to the police, the victim's social media pages and phone numbers will have disappeared from the Internet. Whenever a deal seems too good to be true, it most likely is. Be careful if someone puts a lot of pressure on users to make a quick payment to secure a deal. Rathogwa also warned customers to watch out for fake websites that often look exactly like legitimate retailers" he added.  

To protect against Black Friday scams, experts advise consumers to take several precautions while shopping online or in-store. Shoppers should confirm the authenticity of a purchase before proceeding by buying only from trusted and verified sources. Carefully reviewing transaction details and ensuring that any One-Time Pin (OTP) generated corresponds to the specific transaction is critical. Verifying beneficiary account details before making electronic transfers is also recommended, with tools such as Standard Bank’s Account Verification Service offering an added layer of security. 

It is equally important for individuals to manage the security of their devices. Any unused, sold, lost, or stolen devices should be delinked from online banking profiles immediately, and banks should be notified without delay if a device is misplaced. Furthermore, shoppers are encouraged to report any suspicious activity to their financial institutions. 

Rathogwa emphasizes the importance of scrutinizing web addresses for typos or subtle alterations, as scammers frequently create fraudulent websites that mimic legitimate retailers. Such vigilance can help safeguard personal and financial information during the shopping season.
Read more »
UMI
AI technology Apple CyberCrime Cyberhackers Cybermedia Cybersecurity CyberThreat iOS iPhone Users Privacy reboot Software Updates UMI

Reboot Revolution Protecting iPhone Users

 


Researchers at the University of Michigan (UMI) believe that Apple's new iPhone software has a novel security feature. It presents that the feature may automatically reboot the phone if it has been unlocked for 72 hours without being unlocked. 

As 404 Media reported later, a new technology called "inactivity reboot" was introduced in iOS 18.1, which forces devices to restart if their inactivity continues for more than a given period.  Aside from the Inactivity Reboot feature, Apple continues to enhance its security framework with additional features as part of its ongoing security enhancements. Stolen Data Protection is one of the features introduced in iOS 17.3. It allows the device to be protected against theft by requiring biometric authentication (Face ID or Touch ID) before allowing it to change key settings. 

There are various methods to ensure that a stolen device is unable to be reconfigured easily, including this extra layer of security. With the upcoming iOS 18.2 update, Apple intends to take advantage of a feature called Stolen Data Protection, which is set to be turned off by default to avoid confusing users. However, Apple plans to encourage users to enable it when setting up their devices or after a factory reset to maintain an optimal user experience. 

As a result, users will be able to have more control over the way their personal information is protected. Apple has quietly introduced a new feature to its latest iPhone update that makes it even harder for anyone to unlock a device without consent—whether they are thieves or law enforcement officers. With this inactivity reboot feature, Apple has made unlocking even more difficult for anyone. When an iPhone has been asleep or in lock mode for an extended period, a new feature is introduced with iOS 18.1 will automatically reboot it in addition to turning it off. 

A common problem with iPhones is that once they have been rebooted, they become more difficult to crack since either a passcode or biometric signature is required to unlock them. According to the terms of the agreement, the primary objective of this measure is to prevent thieves (or police officers) from hacking into smartphones and potentially accessing data on them. There is a new "inactivity reboot" feature included in iOS 18 that, according to experts who spoke to 404 Media, will restart the device after approximately four days of dormancy if no activity is made.

A confirmation of this statement was provided by Magnet Forensics' Christopher Vance in a law enforcement group chat as described in Magnet Forensics' Christopher Vance, who wrote that iOS 18.1 has a timer which runs out after a set amount of time, and the device then reboots, moving from an AFU (After First Unlock) state to a BFU (Before First Unlock) state at the end of this timer. According to 404 Media, it seems that the issue was discovered after officers from the Detroit Police Department found the feature while investigating a crime scene in Detroit, Michigan.

When officers were working on iPhones for forensic purposes in the course of their investigation, they noticed that they automatically rebooted themselves frequently, which made it more difficult for them to unlock and access the devices. As soon as the devices were disconnected from a cellular network for some time, the working theory was that the phones would reboot when they were no longer connected to the network.  

However, there are actually much simpler explanations that can be provided for this situation. The feature, which AppleInsider refers to as an inactivity reboot, is not based on the current network connection or the state of the battery on the phone, which are factors that may affect the reboot timer. The reboot typically occurs after a certain amount of time has elapsed -- somewhere around 96 hours in most cases.  Essentially, the function of this timer is identical to the Mac's hibernation mode, which is intended to put the computer to sleep as a precaution in case there is a power outage or the battery is suddenly discharged. 

During the BFU state of the iPhone, all data on the iPhone belongs to the user and is fully encrypted, and is nearly impossible for anyone to access, except a person who knows the user's passcode to be able to get into the device. However, when the phone is in a state known as "AFU", certain data can be extracted by some device forensic tools, even if the phone is locked, since it is unencrypted and is thus easier to access and extract.  

According to Tihmstar, an iPhone security researcher on TechCrunch, the iPhones in these two states are also known as "hot" devices or "cold" devices depending on their temperature.  As a result, Tihmstar was making a point to emphasize that the majority of forensic firms are focusing on "hot" devices in an AFU state as they can verify that the user entered the correct passcode in the iPhone's secure enclave at some point. A "cold" device, on the other hand, is considerably more difficult to compromise because its memory can not be easily accessed once the device restarts, so there is no easy way to compromise it.

The law enforcement community has consistently opposed and argued against new technology that Apple has implemented to enhance security, arguing that this is making their job more difficult. According to reports, in 2016, the FBI filed a lawsuit against Apple in an attempt to force the company to install a backdoor that would enable it to open a phone owned by a mass shooter. Azimuth Security, an Australian startup, ultimately assisted the FBI in gaining access to the phone through hacking. 

These developments highlight Apple’s ongoing commitment to prioritizing user privacy and data security, even as such measures draw criticism from law enforcement agencies. By introducing features like Inactivity Reboot and Stolen Data Protection, Apple continues to establish itself as a leader in safeguarding personal information against unauthorized access. 

These innovations underscore the broader debate between privacy advocates and authorities over the balance between individual rights and security imperatives in an increasingly digitized world.
Read more »
Synthetic Data
CyberCrime Cyberhackers Cybersecurity CyberThreat Healthcare Privacy Synthetic Data

Reimagining Healthcare with Synthetic Data

 


It has been espoused in the generative AI phenomenon that the technology's key uses would include providing personalized shopping experiences for customers and creating content. Nonetheless, generative AI can also be seen to be having a very real impact on fields such as healthcare, for example. There is a tectonic shift in healthcare and life sciences, as technology is being implemented and data-driven systems are being integrated. 

A must-follow trend in this revolution is the burgeoning use of synthetic data, a breakthrough advancement poised to reshape how medical research is conducted, AI is developed, and patient privacy will be protected in the coming years. Data available in synthetic format is comparable to data available in real-world format (such as real fibers such as hemp). In the course of human evolution, humans have created synthetic products to achieve our goals and to develop new products that improve our lives in many different ways. 

It's widely known that synthetic fiber is used in clothing, rope, industrial equipment, automobiles, and many other places. It is because of the ability to create synthetic fiber that a wide range of products can be created that are needed in modern life. Healthcare is another area where synthetic data can have an impact similar to that of traditional data. Synthetic data is created based on real-world data using a data synthesizer. 

These synthesizers may leverage different methods to create synthetic data that have the same statistical and correlative properties as the original data; however, they are completely independent from the real-world data (1, 2). Notably, synthetic data do not contain any personal identifying information which ensures personal privacy and full compliance with privacy regulations such as the EU’s General Data Protection Regulation (GDPR). 

The use of high-fidelity synthetic data for data augmentation is an area of growing interest in data science, generating virtual patient cohorts, such as digital twins, to estimate counterfactuals in silico trials, allowing for better prediction of treatment outcomes and personalised medicine. Synthetic data allows clinicians to use prompts to generate a conversation between a patient with depression and a therapist where they are discussing the onset of symptoms. 

Healthcare providers can also use partially synthetic data, which takes a real-life transcript and has AI adjust it to remove personally identifiable information or private health information, while still telling a cohesive story. This data can then be used to train AI models to develop transcripts, training materials and so on. Regardless of whether the data is fully or partially synthetic, the data can (and often is) adjusted as needed with additional prompts until it reaches the desired result. Healthcare is subjected to a variety of privacy rules through HIPAA. 

Eliminating these privacy concerns is a primary reason Read feels synthetic data is valuable in training models. With synthetic data, healthcare providers don’t need to use real people’s data to train models. Instead, they can generate a conversation that is representative of a specific therapeutic intervention without involving anyone’s protected health information. As Read explains, “Synthetic data also makes it easy to calibrate what we’re looking for — like to generate different examples of how a healthcare provider could say something explicitly or implicitly. This makes it easier to provide different examples and tighten up the information we provide to AI models to learn from, ensuring that we can teach it the right data for providing training or feedback to real-world clinicians.” 

Synthetic data also democratizes the ability of different healthcare organizations to train and fine-tune their own machine learning models. Whereas previously, an organization might need to provide hundreds (or even thousands) of hours of transcribed sessions between patients and clinicians as well as other data points, synthetic data erases this barrier to entry. Synthetic data allows for models to learn and build out responses at a much faster rate — which also makes it easier for new players in healthcare to enter the field. 

As Read’s insights reveal, the use of AI and synthetic data isn’t going to replace clinicians’ value or decision-making authority. But with the help of synthetic data, AI can help push clinicians in the right direction to ensure that there is greater standardization and adherence to best practices. As more providers begin to utilize synthetic data to ensure they are following best practices in all patient interactions and to get feedback on their sessions, they can elevate the quality of care for all. A similar impact could also be felt in the healthcare sector by the use of synthetic data similar to how traditional data would. 

With the help of a data synthesizer, it is possible to create synthetic data based on real-world data. It has been shown that these synthesizers can leverage different methods to produce synthetic data which are capable of being compared to the original data, even if those properties cannot be extracted from the original data, but they are completely independent of real-world data (1, 2). A distinctive feature of synthetic data is the absence of any personal identifying information, which ensures that the data is completely private to the individual and complies with all needed privacy regulations, such as the General Data Protection Regulation (GDPR) of the European Union. 

As a result of increasing interest in data science, the use of high-fidelity synthetic data for data augmentation is becoming increasingly popular. To better predict treatment outcomes and tailor medical treatments for individual patients, digital twins, and virtual cohorts are used to estimate counterfactuals in silico trials, allowing better predictions of treatment outcomes. As a result of synthetic data, clinicians can generate a conversation between patients with depression and therapists to demonstrate how their symptoms began, and these prompts can be used to guide the conversation. 

Providers of healthcare can also use partially synthetic data, which is a combination of a real-life transcript and AI processing that removes any personally identifiable information or private health information, while still telling a coherent story. By using this data, it can then be developed into the types of transcripts, materials for training, etc, that are needed for creating transcripts. Whether the data being used is synthetic data or not, it can (and often is) manipulated or adjusted, as necessary, with additional prompts, until it reaches the result that is desired regardless of whether the data is synthetic or not. 

HIPAA is a sort of Federal law that imposes a variety of privacy rules on the healthcare industry. The fact that Synthetic Data is useful in training models is because it can eliminate these privacy concerns, according to Read. To train models based upon synthetic data, healthcare providers do not need to rely on real person-to-person information. This would allow them to generate a conversation in which they would represent a specific therapeutic intervention, without involving any protected health information of anybody involved in such a conversation. 

Moreover, Read explains, "Synthetic data also allows us to calibrate our search in a much easier way - like for example, generating examples of how a healthcare provider would be able to send an implicit or explicit message to an individual." Moreover, synthetic data democratizes the possibility of various healthcare organizations to train and refine their own artificial intelligence models by enabling them to use synthetic data. 


An organization might have previously been required to provide hundreds (or even thousands) of hours of transcribed sessions between patients and clinicians, along with other information points about these sessions, in order to offer this service, but with synthetic data, businesses are no longer required to do so. Using synthetic data, it is possible for models to learn and develop responses at much faster rates as well, making it easier for new players in healthcare to enter the field to learn and build on existing responses. 

In light of Read's insights, it's important to emphasize that AI and synthetic data are not going to replace clinicians' capabilities or their decision-making authority as Read identifies. By using synthetic data, however, AI has the potential to help clinicians in the right direction to ensure that better standards of care are observed and that best practices are followed. As healthcare providers increasingly adopt synthetic data, they gain a valuable tool for adhering to best practices in patient interactions and enhancing the overall quality of care.

By leveraging synthetic data, practitioners can simulate various clinical scenarios, ensuring their approaches align with industry standards and ethical guidelines. This technology also enables providers to receive constructive feedback on their patient sessions, helping to identify areas for improvement and fostering continuous professional development. The integration of synthetic data into healthcare workflows not only supports more consistent and informed decision-making but also elevates the standard of care delivered to patients across diverse settings. By embracing synthetic data, providers can drive innovation, improve outcomes, and contribute to a more efficient and patient-centered healthcare ecosystem.
Read more »
Volt Typhoon
Botnet CyberCrime Cybersecurity CyberThreat FBI IP Address malware Technology Volt Typhoon

Volt Typhoon rebuilds malware botnet following FBI disruption

 


There has recently been a rise in the botnet activity created by the Chinese threat group Volt Typhoon, which leverages similar techniques and infrastructure as those previously created by the group. SecurityScorecard reports that the botnet has recently made a comeback and is now active again. It was only in May of 2023 that Microsoft discovered that the Volt Typhoon was stealing data from critical infrastructure organizations in Guam, which it linked to the Chinese government. This knowledge came as a result of a spy observing the threat actor stealing data from critical infrastructure organizations on US territory. 

Several Cisco and Netgear routers have been compromised by Chinese state-backed cyber espionage operation Volt Typhoon since September, to rebuild its KV-Botnet malware, which had previously been disrupted by the FBI and was unsuccessfully revived in January, reports said. A report by Lumen Technologies' Black Lotus Labs released in December 2023 revealed that outdated devices mostly powered Volt Typhoon's botnet from Cisco, Netgear, and Fortinet. 

The botnet was used to transfer covert data and communicate over unsecured networks. The US government recently announced that the Volt Typhoon botnet had been neutralized and would cease to operate. Leveraging the botnet's C&C mechanisms, the FBI remotely removed the malware from the routers and changed the router's IP address to a port that is not accessible to the botnet. 

Earlier this month, in response to a law enforcement operation aimed at disrupting the KV-Botnet malware botnet, Volt Typhoon, which is widely believed to be sponsored by the Chinese state, has begun to rebuild its malware botnet after law enforcement officials disrupted it in January. Among other networks around the world, Volt Typhoon is considered one of the most important cyberespionage threat groups and is believed to have infiltrated critical U.S. infrastructure at least for the past five years. 

To accomplish their objectives, they hack into SOHO routers and networking devices, such as Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras, and install proprietary malware that establishes covert communication channels and proxies, as well as maintain persistent access to targeted networks through persistent access. 

Volt Typhoon was a malicious botnet created by a large collection of Cisco and Netgear routers that were older than five years, and, therefore, were not receiving security updates as they were near the end of their life cycle as a result of having reached end-of-life (EOL) status. This attack was initiated by infecting devices with the KV Botnet malware and using them to hide the origin of follow-up attacks targeting critical national infrastructure (CNI) operations located in the US and abroad. 

There has been no significant change in Volt Typhoon's activity in the nine months since SecurityScorecard said they observed signs of it returning, which makes it seem that it is not only present again but also "more sophisticated and determined". Strike team members at SecurityScorecard have been poring over millions of data points collected from the organization's wider risk management infrastructure as part of its investigation into the debacle and have come to the conclusion that the organization is now adapting and digging in in a new way after licking its wounds in the wake of the attack. 

In their findings, the Strike Team highlighted the growing danger that the Volt Typhoon poses to the environment. To combat the spread of the botnet and its deepening tactics, governments and corporations are urgently needed to address weaknesses in legacy systems, public cloud infrastructures, and third-party networks, says Ryan Sherstobitoff, the senior vice president of SecurityScorecard's threat research and intelligence. "Volt Typhoon is not only a botnet that has resilience, but it also serves as a warning computer virus. 

In the absence of decisive action, this silent threat could trigger a critical infrastructure crisis driven by unresolved vulnerabilities, leading to a critical infrastructure disaster." It has been observed that Volt Typhoon has recently set up new command servers to evade the authorities through the use of hosting services such as Digital Ocean, Quadranet, and Vultr. Afresh SSL certificates have also been registered to evade the authorities as well. 

The group has escalated its attacks by exploiting legacy Cisco RV320/325 and Netgear ProSafe router vulnerabilities. According to Sherstobitoff, even in the short period that it took for the operation to be carried out, 30 per cent of the visible Cisco RV320/325 network equipment around the world was compromised. According to SecurityScorecard, which has been monitoring this matter for BleepingComputer, the reason behind this choice is likely to be based on geographical factors by the threat actors.

It would seem that the Volt Typhoon botnet will return to global operations soon; although the size of the botnet is nowhere near its previous size, it is unlikely that China's hackers will give up on their mission to eradicate the botnet. As a preventative measure, older routers should be replaced with more current models and placed behind firewalls. Remote access to admin panels should not be made open to the internet, and passwords for admin accounts should be changed to ensure that this threat is not created. 

To prevent exploitation of known vulnerabilities, it is highly recommended that you use SOHO routers that are not too old to install the latest firmware when it becomes available. Among the areas in which the security firm has found similarities between the previous Volt Typhoon campaigns and the new version of the botnet are its fundamental infrastructure and techniques. A vulnerability in the VPN of a remote access point located on the small Pacific island of New Caledonia was found by SecurityScorecard's analysis. As the network was previously shut down, researchers observed it being used once again to route traffic between the regions of Asia-Pacific and America, although the system had been taken down previously. 
Read more »
ransomware attacks
Critical Infrastructure Cyber Attacks CyberCrime Cybersecurity CyberThreat Oilfield Supplier ransomware attacks

Texas Oilfield Supplier Operations Impacted by Ransomware Incident

 


About two months before the Newpark Resources attack, oilfield services giant Halliburton had been afflicted with a cyberattack that it then disclosed in a regulatory filing, which occurred about two months earlier.  Last week, Halliburton, the world's largest energy services provider, announced that about $35 million in expenses were incurred because of the attack. Still, the impact on the company's finances is relatively small, especially considering Halliburton is one of the world's largest energy services providers.  

There was an incident in August when Halliburton, a global provider of services for the energy industry, had to shut down the systems of some of its subsidiaries due to a cyber attack. In most cases, this type of breach involves unauthorized access by third parties; oftentimes, this leads to operations being disrupted, systems being shut down, and incident response plans being activated as a result of the breach. A cyber-response plan was activated at that time and a comprehensive investigation was conducted internally with the assistance of external advisors to assess and remedy any unauthorized activity that the company was aware of at that time.  

Halliburton announced last week that in its third-quarter results it incurred a pretax charge of $116 million as a result of severity costs, impairment of assets held for sale, expenses related to cybersecurity incidents, gains on equity investments, and other items. The company said in the release that it recorded a pretax charge of $116 million in the third quarter of 2024. In a report released on Tuesday, Halliburton's chairman, president, and CEO, Jeff Miller, said that Halliburton "experienced a $0.02 per share impact on its adjusted earnings from storms in the Gulf of Mexico and in the Gulf of Mexico due to the August cybersecurity event." 

While the update is not in any way noteworthy, Andy Watkin-Child, founding partner at Veritas GRC told LinkedIn it shows cyber incidents are moving to the top of the corporate agenda, in a post on the social media platform. The board of directors is more transparent, as required by the Securities and Exchange Commission when it comes to the impact of cyber incidents. Following the attack on Halliburton, the company had to postpone billing and collection activities, as well as put a halt on its share buyback program. 

According to the company, the full impact will not be material for the company's operations in the long run.   The Newpark Resources Group announced this week that access to certain information systems and business applications has been disrupted due to a ransomware attack that has hit their network. According to a filing with the Securities and Exchange Commission (SEC), the incident was discovered on October 29 and a cybersecurity response plan was activated immediately, the Texas-based company that provides drilling fluids systems and composite matting systems for the oilfield sector, said in its statement. 

In his statement, Newpark stated that "the incident has caused disruptions and limitations in access to certain of the company's information systems and business applications that support aspects of the company's operations and corporate functions, including financial and operational reporting systems", and the company is still paying the price. To continue operating uninterruptedly, the company reverted to downtime procedures, allowing it to safely continue manufacturing and field operations during the downtime period.  

Based on the company's current understanding of the facts and circumstances regarding this incident, this incident appears not to have a reasonably likely impact on the company's financial situation or its results of operations, the company said in a statement. Newpark declined to provide information about how the attackers accessed its network, as well as who might have been responsible for the incident, nor did it explain how they gained access. No ransomware group is known to be claiming responsibility for the attack, according to SecurityWeek. 

About two months before the Newpark Resources breach, there was also a cyberattack on oilfield services giant Halliburton that was also announced in a regulatory filing by that company.  The company has just reported that as a result of the attack, Halliburton has incurred approximately $35 million in expenses. However, given that the company is one of the leading energy service companies in the world, the financial impact is relatively small.  

The incident at Newpark Resources highlighted the importance of network segmentation in protecting networks, according to Chris Grove, director of cybersecurity strategy at Nozomi Networks. He says that when networks are under attack, network segmentation can ensure their security.  According to Grove, separating OT from IT is one way to minimize the risk of a security breach and possibly hurt key operations if there is a breach. However, organizations are facing an increasingly pressing challenge: securing the advantages of segmentation while enabling controlled connectivity, which is becoming increasingly difficult to maintain. 

Cybersecurity Dive has been informed by researchers from NCC Group via email that there has been no public leak of data from the Newpark Resources attack and that there has been no claim made regarding the leak.  Neither the company nor the company's shareholders have been able to determine what costs and financial impacts will be associated with this incident, but about the company's financial condition and results of operations, they believe that the attack "is not reasonably likely to have a material impact."

As a manufacturer, seller, and rental company, Newpark Resources is dedicated to serving the petroleum industry and various other sectors related to energy, such as pipelines, renewable energy, petrochemicals, construction, and oilfields. In its Thursday earnings report, the Woodlands, Texas-based company disclosed quarterly revenue exceeding $44 million and projected an annual revenue reaching up to $223 million. This performance underscores the company's strong market presence despite recent challenges, though it remains under pressure following a recent ransomware attack by unidentified cyber actors. 

As of Thursday, no specific hacking group had taken responsibility for the attack. The oil and gas sector recognized as a globally essential industry, has increasingly become a focal point for ransomware attacks. Due to the industry’s high financial stakes and critical role in infrastructure, it is often targeted by cybercriminals who expect ransom payments to restore access to compromised systems. Notably, ransomware incidents have affected major players in the sector. Over the past four years, corporations such as Shell, Halliburton, Colonial Pipeline, Encino Energy, Oiltanking, and Mabanaft have experienced cybersecurity breaches that have disrupted operations and prompted significant financial and reputational impacts.

These incidents have drawn heightened attention from government entities, prompting federal authorities to pursue enhanced cybersecurity measures across critical infrastructure sectors. The rise in ransomware attacks has spurred the government to implement stricter cybersecurity regulations, with mandates designed to bolster defense mechanisms within vulnerable industries.
Read more »
Vulnerabilities and Exploits
CyberCrime Cybersecurity CyberThreat Frag Ransomware Ransomware VBR Veeam RCE Bug Vulnerabilities and Exploits

Veeam RCE Bug Now a Target for Frag Ransomware Operators

 


Recently, a critical VBR (Veeam Backup & Replication) security flaw was exploited by cyber thieves to distribute Frag ransomware along with the Akira and Fog ransomware attacks. Florian Hauser, a security researcher with Code White, has discovered that the vulnerability (tracked as CVE-2024-40711) is a result of the deserialization of untrusted data weakness that unauthenticated threat actors can abuse to gain remote code execution (RCE) on Veeam VBR servers by exploiting. 

Despite releasing a technical analysis of CVE-2024-40711 on September 9, Watchtower Labs delayed the release of a proof-of-concept exploit until September 15 to allow admins to take advantage of the security updates that Veeam released on September 4 for this vulnerability. 

According to Sophos researchers, ransomware operators are leveraging a critical vulnerability in Veeam Backup & Replication called CVE-2024-40711 to create rogue accounts and deploy malware to users in order to execute their attacks. On early September 2024, Veeam released security updates for the Service Provider Console, Veeam Backup & Replication, and Veeam One products to address several vulnerabilities that could undermine the security of their products.

The company fixed 18 issues with high or critical severity for these products. This September's security bulletin contains a critical, remote code execution (RCE) vulnerability tracked as CVE-2024-40711 that affects Veeam Backup & Replication (VBR), which has a CVSS v3.1 score of 9.8 (CVSS score of 10.4). A software product developed by the Veeam software company called Veeam Backup & Replication offers a comprehensive solution for data protection and disaster recovery. With this technology, companies are able to back up, restore, and replicate data across physical, virtual, and cloud environments at the same time. 

There is a vulnerability in the Linux kernel that allows unauthenticated remote code execution (RCE)." as stated in the advisory. The vulnerabilities were discovered by Florian Hauser, a researcher at CODE WHITE Gmbh who specializes in cybersecurity. In addition to Veeam Backup & Replication 12.1.2.172, earlier versions of version 12 are also affected by this flaw.  According to the Sophos X-Ops incident response team, the delay in releasing an exploit did not have much effect on the number of Akira and Fog ransomware attacks that were prevented. 

By exploiting the RCE vulnerability along with stolen credentials from the VPN gateway, the attackers were able to register rogue accounts on unpatched servers and exploit the RCE flaw. There was also a threat activity cluster, which was known as 'STAC 5881,' that was later found to have used exploits from CVE-2024-40711 to download Frag ransomware onto compromised networks, as a result of attacks that exploited CVE-2024-40711. 

According to Sean Gallagher, a principal threat researcher at Sophos X-Ops, the tactics associated with STAC 5881 were used again, this time, however, they led to the deployment of the previously undocumented 'Frag' ransomware which is now being referred to as Black Drop. There is a possibility that the threat actor exploited a vulnerability in the VEEAM component to gain access to the system, created a new account named 'point', and accessed the system from that account. As a result of this incident, a second account has also been created, known as 'point2'. 

Anew report by British cybersecurity company Agger Labs revealed that the Frag ransomware gang has made extensive use of Living Off The Land binaries (LOLBins), a type of software that is already installed on compromised computers and which is commonly known as Living Off The Land software (LOLBins). Defendants have a hard time detecting their activity due to the fact that this is difficult to detect. According to the Frag gang's playbook, the playbook of Akira and Fog operators is somewhat similar, as they often exploit vulnerabilities in unpatched backup and storage software and misconfigurations in the solutions that they deploy. This vulnerability has a high severity and can allow malicious actors to breach backup infrastructure if not patched. Veeam patched another high severity vulnerability in March 2023, CVE-2023-27532. There has been extensive use of this exploit in attacks linked to the financially motivated FIN7 threat group and in Cuba ransomware attacks that targeted companies and institutions critical to the American economy. 

Over 500,000 consumers worldwide rely on Veeam's products, including approximately 74% of all companies from the Global 2,000 list. Veeam reports that its products are used by over 550,000 customers worldwide. Agger Labs, a cybersecurity firm, also noted that tactics, techniques, and practices used by the threat actors behind Frag share many similarities to those used by Akira and Fog threat actors in their tactics, techniques, and practices. 

The main reason why Frag ransomware can remain stealthy is that it uses LOLBins, an approach that has been widely adopted by more traditional actors in the cybercrime sphere. The attackers can now bypass endpoint detection systems by employing familiar, legitimate software already present on most networks to conduct malicious operations. The fact that ransomware crews are adapting their approaches to ransomware shows that they are changing their approach despite not being new to the threat actor space.” 

Agger Labs notes. Despite Frag's use of LOLBins, the function has been used by ransomware strains like Akira and Fog which also use similar techniques to blend in with normal network activity and hide from detection.". As a result of using LOLBins as a means of exploitation for malicious purposes, these operators make it harder for us to detect them timely.”
Read more »
Multi-factor authentication
Cyber Security CyberThreat Data Safety Google Cloud Google security MFA Multi-factor authentication

Google Cloud to Enforce Multi-Factor Authentication for Enhanced Security in 2025

 


As part of its commitment to protecting users' privacy, Google has announced that by the end of 2025, all Google Cloud accounts will have to implement multi-factor authentication (MFA), also called two-step verification. Considering the sensitive nature of cloud deployments and the fact that phishing and stolen credentials remain among the top attack vectors observed by Mandiant Threat Intelligence, it seems likely that Google Cloud users should now be required to perform [2 steps of verification], as Mayank Upadhyay, Google Cloud's VP of Engineering and Distinguished Engineer, told the audience. 

By the end of 2025, Google's cloud division is planning to introduce an optional multi-factor authentication (MFA) feature for all users, as part of its efforts to improve account security as a part of its mission to improve security across the company. As part of a recent announcement by the tech giant, it was announced that it will begin the transition with a phased rollout, to help users adapt more smoothly to the changes. 

The technology industry and cyber security industry have long recommended multifactor authentication as a highly secure authentication method. With an additional step of verification, multi-factor authentication (MFA) dramatically reduces the risk of unauthorized logins, data breaches, and account takeovers, regardless of whether the user's password is compromised. As hackers continue to ramp up their sophisticated attacks on cloud infrastructure and sensitive data, Google is pushing for mandatory MFA as part of a growing trend in cybersecurity. 

According to recent announcements, Google is planning on requiring multi-factor authentication (MFA) for all Cloud accounts by the end of 2025, to protect cloud accounts. MFA is supposed to strengthen security while maintaining a smooth and convenient user experience online, which is exactly what Google claims. It has been reported that 70% of Google users have started using this feature and that security consultants are urging those users who are still on the fence to switch over to MFA at once. Users as well as admins who have access to Google Cloud will be affected by the implementation of the new process. 

Generally speaking, this change will not impact Google accounts of general consumer users. In a recent announcement sent made by Mayank Upadhyay, Google Cloud's VP of Engineering and Distinguished Engineer an official announcement the company stated that they plan to have mandatory MFA implemented throughout 2025 in a phased approach, with assistance being provided to help plan the deployment process. In response to Google's announcement, the company now states that it is taking a phased approach to the mandatory 2FA requirement that will apply to Google Cloud users; here's what that means in practice. 

There will be three phases to the implementation, and the first phase begins immediately with Google encouraging users to adopt 2FA if they have not yet had the chance to install 2FA protection on their account, but currently sign in with a password. Google estimates that 70% of online users have done this. As part of the first phase of the program, which is scheduled to begin in November 2024, the aim will be to encourage the adoption of MFA. The Google Cloud console will be regularly updated with helpful reminders and information. Resources will be available to help raise awareness, plan rollout and documentation of the MFA process, as well as to conduct testing and enable MFA for users with ease. The first phase of the project is scheduled to begin in November 2024 and will play a key role in facilitating the adoption of MFA. 

There will be several notes and reminders in the Google Cloud Console, including information you'll find helpful in raising awareness, planning rollouts, conducting tests, and ensuring that MFA is enabled smoothly for users, to help raise awareness. There will be a second phase that begins early next year and, at the start of the year, Google will start requiring MFA for users who sign in to Google Cloud with a password, whether they are new or existing. Nevertheless, Google has not yet expressed a concrete date for when it is planning to deploy the 2FA technology as part of phase two, which is scheduled for "early 2025". 

It is important to note, however, that all new Google Cloud users, whether or not they already have a password, will be required to implement two-factor authentication to sign in. As of now, this is a mandatory requirement, with no ifs, no buts. As soon as the Google Cloud Console, Firebase Console and iCloud are updated with the 2FA notification, Upadhyay will warn users that to continue using those tools, they need to enrol with the 2FA service. The final phase of Google Cloud's 2FA requirement will be rolled out by the end of 2025, it has been told and will be required for all users currently using federated authentication when logging into Google Cloud by that time. 

It was confirmed in the announcement that there will be flexible options for meeting this requirement. In other words, it appears to be an option for users to enable 2FA with their primary identity provider before accessing Google Cloud itself, or to add a layer of security through Google's system, using their Google account to enable 2FA through their cloud service. A senior director of technical field operations at Obsidian Security told me that the threat landscape has rapidly become more sophisticated as a result of this increased MFA prevalence. The breach data shows that 89% of compromised accounts have MFA enabled, according to Chris Fuller, senior director of technical field operations.

Several phishing-as-a-service toolkits, including the Mamba toolkit that you can buy for $250 a month, as well as non-human identity compromises, suggest that identity compromises will continue regardless of the technology used to carry out." Google's phased rollout is designed to ease users into the new requirement, which could have been met with resistance due to perceived friction in the user experience, especially when the requirement is implemented suddenly," Patrick Tiquet, Vice President of Security and Compliance at Keeper Security, said. Tiquet further emphasized that organizations leveraging Google Cloud will need to strategically prepare for MFA implementation across their workforce. 

This preparation includes comprehensive employee training on the critical role of multi-factor authentication in safeguarding organizational data and systems. Effective MFA adoption may be supported by tools such as password managers, which can streamline the process by securely storing and automatically filling MFA codes. Proper planning and training will be essential for organizations to successfully integrate MFA and enhance security measures across their teams.
Read more »
ransomware attacks
Columbus Data Breach CyberCrime Cyberhackers Cybersecurity CyberThreat Data Breach ransomware attacks

Columbus Data Breach Affects 500,000 in Recent Cyberattack

 


In July, a ransomware attack on Columbus, Ohio, compromised the personal information of an estimated 500,000 residents, marking one of the largest cyber incidents to affect a city in the United States in recent years. There has been great interest in the attack linked to the Rhysida ransomware group due to the extent of the data stolen as well as the controversy surrounding the city's response. 

The City of Columbus, the state capital of Ohio, has confirmed that hackers stole data from 500,000 residents during a ransomware attack in July, locking them out.  The City of Columbus confirmed in a filing with the state attorney general that a "foreign cyber threat actor" had infiltrated the city's network to access information about residents, including their names, dates of birth, addresses, ID documents, Social Security numbers, and bank accounts.  

With a population of 900,000 people, the city in Ohio has the largest population of any municipality in the state, with around half a million people affected by the flooding, but the exact number of victims has yet to be determined.  In a regulatory filing, the city revealed that it had "thwarted" a ransomware attack on July 18 of this year, which was the effect of disconnecting its network from the internet to thwart the attack. This attack has been claimed by the Rhysida ransomware group, which specializes in crypto-ransomware attacks.

Cybercriminals believed to be connected to Russian threat actors sought a ransom from Columbus in the initial stages of the attack, claiming that 6.5 TB of data was stolen by this group. It is alleged that Rhysida introduced 3.1 TB of data from this database to the dark web leak site after negotiations with the city failed. A significant data breach in the public sector has occurred within the last two years as a result of this exposure. 

 According to Rhysida, the ransomware gang, the attack occurred the same day. They claim they have stolen databases containing 6.5 TB of data, including information about staff credentials, video feeds from the city camera system, and server dumps, along with other sensitive data. There has been no increase in the amount of stolen data that is now being published on the dark web leak portal of the gang because they failed to extort the City. Some 45% of the stolen data includes 260,000 documents (3.1 TB) on this portal. 

There was no need to be concerned about the leak of the data because the data was "encrypted or corrupted" as the mayor of Columbus Andrew Ginther said in his statement to the Columbus media. As a result, David Leroy Ross (aka Connor Goodwolf) of the Security Research Group, a British security research company, refuted the Mayor's claim by sharing some samples of the leaked data with press outlets, which showed that it contained unencrypted personal information belonging to city employees, residents, and visitors. 

As of early August, Columbus had filed a lawsuit against security researcher David Leroy Ross, escalating the situation to a point where it became an extreme situation. In an announcement to the local media, Ross, who goes by the username "Connor Goodwolf", reported that residents' personal information had been uploaded on the dark web. According to the disclosure, Columbus officials had earlier claimed that only unusable, corrupted data had been stolen, which was contrary to the new disclosure.

The first cyber analysts to investigate the stolen data discovered a significant volume of sensitive files among them databases, password logs, cloud management files, employee payroll records, and even footage culled from city traffic cameras in the aftermath of Ross's revelations. In response to this attack, the city said it has committed to improving its cybersecurity protocols in the future to prevent similar attacks from happening again. 

In Columbus, a town of approximately 915,000 people, the Maine Attorney General's Office received a report from the city informing them that the breach may affect approximately 55% of its citizens. Those affected by this tragedy will receive two years of free credit monitoring and identity protection services as a gesture of goodwill from the city. The city of Columbus has been put under increasing public pressure to ensure that data is protected and transparent communications about the extent of the breach are made in light of rising public pressure. As a result of the City's lawsuit, Goodwolf is alleged to have spread stolen data illegally and negligently. 

There was a request for monetary damages with a request for a temporary restraining order and a permanent injunction, and the researcher was ordered to stop further dissemination of the leaked data to prevent future disclosures. It was decided in December 2011 that a temporary restraining order would be issued in Franklin County prohibiting Goodwolf from downloading and disseminating the data they stole from the City.

The City had previously claimed that the leaked data was useless, but as shown in breach notification letter samples filed with the Maine Attorney General's Office, despite its claims, it informed 500,000 people in early October that some of their financial and personal information had been stolen and published on the dark web by those who stole it. There has been a breach of the City information system, according to the breach notification letters, which include your personal information, including your first and last name, date of birth, address, bank account information, driver's license number, Social Security number, and other identifying information that may have been included as a result of the incident. 

Although the City has yet to find evidence of the misuse of its data, it warns those affected by this breach to keep a close eye on their credit reports and financial accounts to ensure no suspicious activity is taking place. It is now also offering 24 months of free 24 months of monitoring of credit and identity, provided by Experian IdentityWorks, as well as identity restoration services provided by Experian.
Read more »
Technology
CyberCrime Cyberhackers Cybersecurity CyberThreat iOS Devices LightSpy Technology

LightSpy Update Expands Surveillance on iOS Devices

 


It has been discovered that a newer version of LightSpy spyware, commonly used to target iOS devices, has been enhanced with the capability to compromise the security and stability of the device. LightSpy for macOS was first discovered by ThreatFabric, which published a report in May 2024 in which they described their findings with the malware. 

After a thorough investigation of the LightSpy client and server systems, the analysts discovered that they were using the same server to manage both the macOS and iOS versions of the program. IPhones are undeniably more secure than Android devices, however, Google has been making constant efforts to close the gap, so Apple devices are not immune to attacks. 

The fact that Apple now regularly alerts consumers when the company detects an attack, the fact that a new cyber report just released recently warns that iPhones are under attack from hackers who are equipped with enhanced cyber tools, and the fact that "rebooting an Apple device regularly is a good practice for Apple device owners" is a better practice. LightSpy is a program that many users are familiar with. Several security firms have reported that this spyware has already been identified on multiple occasions. 

The spyware attacks iOS, macOS, and Android devices at the same time. In any case, it has resurfaced in the headlines again, and ThreatFabric reports that it has been improved greatly. Among other things, the toolset has increased considerably from 12 to 28 plugins - notably, seven of these plugins are destructive, allowing them to interfere with the device's boot process adversely. The malware is being distributed by attack chains utilizing known security flaws in Apple iOS and macOS as a means of triggering a WebKit exploit. 

A file with an extension ".PNG" is dropped by this exploit, but this file, in fact, is a Mach-O binary that exploits a memory corruption flaw known as CVE-2020-3837 to retrieve next-stage payloads from a remote server. LightSpy comes with a component called FrameworkLoader, which in turn downloads the application's main module, the Core module, and the available plugins, which have increased from 12 to 28 since LightSpy 7.9.0 was released. 

The Dutch security company reports that after the Core starts up, it will perform an Internet connectivity check using Baidu.com domains and, upon checking those arguments, the arguments will be compared against those passed from FrameworkLoader, which will be used to determine the [command-and-control] data and working directory," the security company stated. This means that the Core will create subfolders for log files, databases, and exfiltrated data using the /var/containers/Bundle/AppleAppLit/working directory path. 

This plugin can collect a wide range of data, including Wi-Fi information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages. Additionally, these plugins can be used to gather information from apps such as Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp as well. In the latest version of LightSpy (7.9.0), a component called FrameworkLoader is responsible for downloading and installing LightSpy's Core module and its various plugins, which has increased in number from 12 to 28 in the most recent version. 

Upon Core's startup, it will query the Baidu.com domain for Internet connectivity before examining the arguments provided by FrameworkLoader as the working directory and command-and-control data to determine whether it can establish Internet connectivity. In the Core, subfolders for logs, databases, and exfiltrated data are made using the working directory path /var/containers/Bundle/AppleAppLit/ as a default path. 

Among the many details that the plugins can collect are information about Wi-Fi networks, screenshots, locations, iCloud Keychain, sound recordings, images, contacts, call history, and SMS messages, just to mention a few. The apps can also be configured to collect data from apps such as Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp as well as from search engines. It should be noted that some of the recent additions to Google Chrome include some potentially damaging features that can erase contacts, media files, SMS messages, Wi-Fi settings profiles, and browsing history in addition to wiping contacts and media files. 

In some cases, these plugins are even capable of freezing the device and preventing it from starting up again once it is frozen. It has also been discovered that some LightSpy plugins can be used to create phony push alerts with a different URL embedded within them. Upon analyzing the C2 logs, it was found that 15 devices were infected, out of which eight were iOS devices. 

Researchers suspect that most of these devices are intentionally spreading malware from China or Hong Kong, and frequently connect to a special Wi-Fi network called Haso_618_5G, which resembles a test network and seems to originate from China or Hong Kong. It was also discovered during ThreatFabric's investigation that Light Spy contains a unique plugin for recalculating location data specific to Chinese systems, suggesting that the spyware's developers may live in China, as the information it contains appears to have been obtained from Chinese sources. 

LightSpy's operators heavily rely on "one-day exploits," and consequently they take advantage of vulnerabilities as soon as they become public information. Using ThreatFabric's recommendation as a guide to iOS users, they are advised to reboot their iOS devices regularly since LightSpy, since it relies on a "rootless jailbreak," can not survive a reboot, giving users a simple, but effective, means to disrupt persistent spyware infections on their devices. 

As the researchers say, "The LightSpy iOS case illustrates the importance of keeping system updates current," and advise users to do just that. "Terrorists behind the LightSpy attack monitor security researchers' publications closely, using exploits that have recently been reported by security researchers as a means of delivering payloads and escalating their privileges on affected devices." Most likely, the infection takes place through the use of lures, which lead to infected websites used by the intended victim groups, i.e. so-called watering holes on the Internet. 

For users concerned about potential vulnerability to such attacks, ThreatFabric advises a regular reboot if their iOS is not up-to-date. Although rebooting will not prevent the spyware from re-infecting the device, it can reduce the amount of data attackers can extract. Keeping the device restarted regularly provides an additional layer of defence by temporarily disrupting spyware's ability to persistently gather sensitive information.
Read more »
Technology
Artitifical Intelligence Bitfender CyberCrime Cyberhackers Cybersecurity CyberThreat Technology

Bitdefender's Perspective on Weaponized AI and Its Impact on Cybersecurity

 


Taking cybersecurity seriously is one of the biggest things users can do to protect their company from cyberattacks. While discussing with Bogdan "Bob" Botezatu, Director of Threat Research at Bitdefender, to get a deeper understanding of what is happening today, including the ever-growing role that Artificial Intelligence is playing in the criminal arena as well as in security.

It has been Botezatu's job to defend Bitdefender customer data from ransomware attacks, as well as to carry out research into IoT vulnerabilities for the past 20 years. He has worked in the cybersecurity industry during this time.  As a result of artificial intelligence, many people tend to envision a sci-fi world in which robots will be taking over human society and their daily routines as its known today. It's important to keep in mind that artificial intelligence is already here, improving everyday technologies like e-commerce, surveillance systems, and many others daily. 

It is a belief that cybercriminals prefer to target anyone, regardless of whether they can gain immediate financial gain from it. Rather, simply infecting someone's computer is of great importance, since having access to that device is very useful to them. Cybercriminals can take advantage of passwords held by them by renting these passwords to other cyber-criminal organizations to send spam or use them as proxies to disguise various illegal activities. 

Hackers can also use stolen identity and personal information to commit fraud. As a result of the rapid rise of artificial intelligence (AI) within the cyber security industry, great cybersecurity players like Bitdefender and bad actors are engaged in an arms race aimed at harming them.  In the context of the Internet of Things, Botezatu found that the growing number of devices connected to the Internet every year is introducing significant cybersecurity vulnerabilities. This essay explains how these devices, in many cases, serve as a liability for users, as many of the bugs they contain are regarded as purely user-centric.

It is widely acknowledged that individuals are at risk of network breaches due to insecure IoT devices, privacy breaches due to vulnerable video surveillance equipment, or even attacks on household items like thermostats that render the devices useless. There is not only the individual threat, but also the collective threat: compromised IoT devices can be incorporated into large botnets that are capable of launching distributed denial-of-service attacks (DDoS), disrupting critical infrastructures, and potentially jeopardizing the whole Internet ecosystem as a whole.

It is recommended that users safeguard all the devices they have connected to the computer through a cybersecurity solution, such as Bitdefender's Family Pack, which manages essential security functions for users, so they can focus on their regular activities without having to constantly monitor their computers. Further, he believes that it is extremely important to keep the software updated, especially those that address security issues because these updates are vital to the prevention of vulnerabilities that could be exploited by criminals to gain access to users. 

The lack of awareness continues to be an ongoing problem in 2024, despite an increase in awareness. This is contrary to what Botezatu describes as the continued prevalence of a lack of password hygiene, such as the practice of reusing passwords across accounts or using weak or compromised passwords. As a result of data breaches, criminals can use these stolen credentials to commit widespread attacks in which they try to gain access to numerous accounts using the stolen credentials. 

According to Botezatu, for each account, it is recommended to use a unique and complex password that can be changed regularly when possible to increase account security. Using tools such as Bitdefender's Password Manager, which simplifies the process of creating strong passwords, helps make it easier to use and remember them, and also helps with users' online security. He also emphasizes that all compatible accounts should be enabled with multi-factor authentication, which serves as an additional layer of protection to the account security in addition to multi-factor authentication. 

In the present day, cybercriminals use artificial intelligence to produce convincing synthetic media, which include deepfakes, which are videos or audio created to simulate the appearance and voice of a real person. A substantial amount of money is lost as a result of using such technology in scams, and Botezatu mentions that elderly individuals - who often have a limited understanding of technological advancements - are more susceptible to these kinds of scams than younger individuals. 

His approach in mitigating this threat is to encourage younger members of the family to play an active role in making sure they are educated about and protected from this threat. He recommends having discussions with seniors about common scams, such as cold calls designed to gain access to a device or account even if no false statements have been made, to protect them from fraud. Also, the development of "safe" communication rules, such as the agreement on a keyword that can be used to authenticate a caller, can help prevent impersonation attacks in the family and enhance trust between members. 

It has also been found that AI is useful for confirming the authenticity of users. In Behavioral Analytics, artificial intelligence is used to detect individuals from a group of people based on things such as how they use the keyboard or move the mouse, Botezatu explained. As a result of the use of these technologies, it is possible to detect deviations that may indicate malicious activity, including insider threats, compromised accounts, or unauthorized access to the system. In the end, the best way to protect against cyber-attacks is to combine powerful cybersecurity technology with user's own vigilance and active surveillance.
Read more »
Subscribe to: Posts (Atom)