Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberhackers. Show all posts
Privacy
Cyberattacks Cybercrimes Cyberhackers Cybersafety Cybersecurity Cyberthreats Hackers Privacy

The Evolution of Data Protection: Moving Beyond Passwords

 


As new threats emerge and defensive strategies evolve, the landscape of data protection is undergoing significant changes. With February 1 marking Change Your Password Day, it’s a timely reminder of the importance of strong password habits to safeguard digital information.

While conventional wisdom has long emphasized regularly updating passwords, cybersecurity experts, including those at the National Institute of Standards and Technology (NIST), have re-evaluated this approach. Current recommendations focus on creating complex yet easy-to-remember passphrases and integrating multi-factor authentication (MFA) as an additional layer of security.

Microsoft’s Vision for a Passwordless Future

Microsoft has long envisioned a world where passwords are no longer the primary method of authentication. Instead, the company advocates for the use of passkeys. While this vision has been clear for some time, the specifics of how this transition would occur have only recently been clarified.

In a detailed update from Microsoft’s Identity and Access Management team, Sangeeta Ranjit, Group Product Manager, and Scott Bingham, Principal Product Manager, outlined the anticipated process. They highlighted that cybercriminals are increasingly aware of the declining relevance of passwords and are intensifying password-focused attacks while they still can.

Microsoft has confirmed that passwords will eventually be phased out for authentication. Although over a billion users are expected to adopt passkeys soon, a significant number may continue using both passkeys and traditional passwords simultaneously. This dual usage introduces risks, as both methods can be exploited, potentially leading to privacy breaches.

According to Bingham and Ranjit, the long-term focus must be on phishing-resistant authentication techniques and the complete elimination of passwords within organizations. Simplifying password management while enhancing security remains a critical challenge.

The Need for Advanced Security Solutions

While passwords still play a role in authentication, they are no longer sufficient as the sole defense against increasingly sophisticated cyber threats. The shift toward passwordless authentication requires the development of new technologies that provide robust security without complicating the user experience.

One such solution is compromised credential monitoring, which detects when sensitive information, such as passwords, is exposed on the dark web. This technology promptly notifies administrators or affected users, enabling them to take immediate corrective actions, such as changing compromised credentials.

As the era of passwords draws to a close, organizations and individuals must embrace more secure and user-friendly authentication methods. By adopting advanced technologies and staying informed about the latest developments, we can better protect our digital information in an ever-evolving threat landscape.

Read more »
Sophos report
Cyber Attacks CyberCrime Cyberhackers CyberThreat IT Support System Sophos report

Hackers Use IT Support Disguise to Infiltrate Systems

 


Cybercriminals in Russia are using a scam to trick their victims into allowing them to install ransomware on their computers by pretending to be technical support via Microsoft Teams. Once they have convinced victims they have an IT problem, they then trick them into allowing ransomware to be installed on the target's networks. 

A British cybersecurity company, Sophos, reported on Thursday that it had observed over 15 instances of two separate groups attempting to socially engineer their way onto a victim's computer using Microsoft Office 365’s default settings. Several reports have indicated that these gangs are bombarding employees with spam emails before approaching employees through Teams to “resolve” the issue. Eventually, they trick their victims into granting them remote computer access. 

Upon gaining access, attackers will install malicious software that will steal data, freeze computer systems, and hold organizations to ransom once they are given access. As a result of this fast-spreading campaign, Sophos linked it to two Russian criminal groups, Fin7 and Storm-1811, according to Sophos. According to the company, 15 times during the last three months, and 8 times in the past fortnight, the tactic has been used. 

The cybersecurity company Sophos has reported that hackers increasingly use a technique to send 3,000 spam messages in an hour to workers, before contacting them through Teams to fix the problem. Nevertheless, when the victims provide remote access to their computers, the hackers can install malicious software that essentially extracts all their data from the computer. In light of the growing use of the tactic, businesses that use Teams, Microsoft's flagship platform for working from home, and other Microsoft products have been warned to be on “high alert” as the tactic is spread more widely. 

The company's principal threat researcher, Sean Gallagher, stated that "Microsoft Teams by default allows people outside an organization to connect with or call the internal team at a company, so attackers are utilizing this feature. This revelation comes in light of a British government plan to ban ransomware payments as a result of a recent report. 

As a part of a plan to combat a rise in cybercriminal activity, councils, schools, NHS trusts, and other public sector organizations will be barred from paying ransomware in exchange for services. Experts are describing this as the largest anti-ransomware measure ever taken by any national government. As part of the investigation on the U.S. election, the fake support staff had instructed the employee to allow a remote screen control session on Election Day. The attacker used the remote control session to open a command shell, drop a file, and execute malware. 

Two files contained obfuscation methods that had previously been used by FIN7 code, namely a Java archive (JAR) and a Python code archive (zip) copied from the JAR. According to Sophos, FIN7 has a history of selling tools to other cybercriminals, which can find ways to obfuscate the code, and their methods of obfuscation themselves are based on public code. 

The hackers also employed an entirely different strategy during the fake support chat and once they gained access to the victim's device as part of this group of actions — they used a lot more “hands-on-key” approach, and scripted commands, which were executed by the hackers themselves. In this sense, the attack more closely overlapped with what Microsoft stated in the report on Storm-1811. A spokesperson for Sophos states that if a company is not required to restrict calls from outside organizations or to trusted business partners, it should ensure that those capabilities are restricted. The company also recommends that organizations restrict remote access applications by policy unless it is necessary. 

As with many other sectors, cybersecurity experts emphasize that for businesses to be fully prepared to deal with evolving threats, they must strengthen their cybersecurity practices. This recommendation includes limiting external access to the organization by adjusting Microsoft Teams settings to prevent direct communications from outside of the organization. 

The company should also provide comprehensive employee training so employees can identify and report phishing attempts and social engineering tactics. It is also recommended that critical data be backed up regularly and kept secure offline, to minimize the impact of ransomware attacks. Although Microsoft Teams has proved invaluable for remote collaboration, its wide accessibility has made it a target for malicious actors, as cybercriminals refine their methods and maintain vigilance towards threats. 

Even though Microsoft Teams has proved to be incredibly useful for remote collaboration, it has also become a target for malicious actors once they refine their methods and become more sophisticated. Cybersecurity experts recommend businesses contact them if they notice any irregular activity on the Teams platform, for example, if they notice an increase in spam messages or a rise in suspicious interactions in the Teams app. 

Those interested in combating cybercrime can find a variety of online courses taught by TheHackAcademy that will assist them in simplifying complex cybersecurity concepts as well as providing practical skills to help them protect themselves from harm. It is designed to accommodate learners of all skill levels, from IT professionals to people seeking more information on personal online safety, and offers topics such as identifying phishing scams and defending against ransomware attacks. These courses are open to all levels of learning.
Read more »
PKI
Cyber Security Cyberattacks Cyberencryption Cyberhackers CyberThreat MFA PKI

Why MFA Failures Signal Greater Cybersecurity Challenges

 


In the current cybersecurity era, multi-factor authentication (MFA) is widely recommended and often mandated across several sectors, making it one of the most popular security measures that are available. As stated by the Cybersecurity and Infrastructure Security Agency (CISA), implementing MFA is an easy-to-follow method for safeguarding organizations and reducing the risk of account compromise attacks significantly, thereby ensuring the organization's security. 

Several key guidelines and regulations emphasize the importance of multi-factor authentication (MFA) for improving security protocols in several ways, for example, NIST Special Publication (NIST SP) 800-63-3 stipulates that multi-factor authentication is a requirement for systems requiring authentication assurance levels two and three (AAL). 

As an additional measure of security, Executive Order 14028 directs all government agencies in the United States to adopt multi-factor authentication. Several industry standards, including the Payment Card Industry Data Security Standard (PCI DSS) and the Service Organization Control 2 (SOC 2), also require MFA to secure sensitive data environments, to ensure compliance with these standards, and even though MFA has been widely endorsed, emerging concerns over its vulnerabilities are prompting experts to examine its limitations and potential risks in light of those concerns. As the traditional mechanisms of multi-factor authentication (MFA), which have been widely considered a cornerstone of cybersecurity for many years, are struggling to keep pace with the advancing threats, they are coming under more scrutiny. 

It is becoming increasingly evident that legacy multifactor authentication systems are being circumvented with alarming effectiveness as a result of phishing campaigns, ransomware attacks, and advanced exploitation techniques. MFA has become increasingly vulnerable to sophisticated cyberattacks and these developments raise serious concerns about its reliability as a protection measure. Authentication by multiple factors (MFA) has been a cornerstone of cybersecurity for decades.

It has proven to be a very effective method of strengthening security perimeters against unauthorized access. However, with the relentless evolution of cyber threats, it is imperative that organizations continually evaluate whether it is effective. Emerging vulnerabilities in traditional MFA approaches emphasize the importance of adjusting and evolving the security perimeters. 

As a result, the use of SIM swapping techniques, in which attackers hijack mobile phone numbers to intercept SMS codes, has become increasingly prevalent, resulting in significant financial losses. In addition, authentication fatigue is also a growing challenge, since users who are overwhelmed with frequent prompts may adopt risky behaviors, such as sharing codes or circumventing security protocols, that can lead to significant financial losses. 

Moreover, new forms of exploitation of biometric authentication are becoming available because of advances in artificial intelligence and deep-fake technology. As a result of push notification hijacking and sophisticated account takeover techniques, legacy MFA systems remain vulnerable to exploitation. The vulnerability highlights the need to diversify authentication factors, incorporate risk-based assessments, and leverage advanced threat detection tools to enhance security against these threats. 

A crucial part of modern cybersecurity strategies remains Multi-factor authentication (MFA), but it is not immune from failure; organizations should take proactive measures to strengthen their defenses and educate their users about the threats they are facing. In today's rapidly changing threat landscape, it is imperative to maintain an adaptive and dynamic authentication approach to maintain a resilient security posture. 

Insurers are advised to consider the importance of multi-factor authentication (MFA) when insuring businesses because it directly impacts the level of risk incurred by the business. Providing another layer of security to sensitive systems besides passwords makes MFA a very effective security measure that significantly reduces the likelihood of unauthorized access to sensitive systems. In turn, this reduces the risk of cyberattacks, phishing attempts, account takeovers, and credential stuffing, among other cyber threats. 

As insurers, it is important to know if a company has implemented MFA as well as how effectively it is used so that the overall risk profile can be assessed. Insurance companies can price policies accurately based on this knowledge, ensuring that the policies reflect a company's true security posture. A company's liability liability may be misjudged if insurers do not receive this critical information, leaving them at risk of inadequate coverage or increased claims exposure. The use of multi-factor authentication has been a key way of preventing unauthorized access for years, but it is no longer immune to evolving threats as it has been for years. 

As the frequency of tactics such as SIM swapping increases, the risk of hackers intercepting SMS codes has increased, resulting in significant financial losses for the company. Additionally, authentication fatigue is still a concern, as users may bypass security measures or share MFA codes if they become overwhelmed by constant prompts. As artificial intelligence and deepfake technologies continue to rise, biometric systems are becoming more vulnerable. 

Moreover, push notifications hijacking and account takeover methods illustrate the limitations of legacy multi-factor authentication systems. To deal with these challenges, a variety of authentication factors must be used, dynamic risk assessments must be conducted, and advanced threat detection tools be incorporated. While Multi-factor authentication remains a cornerstone of cybersecurity, organizations should continue to strengthen their defenses and adapt their strategies to stay ahead of emerging threats even though MFA remains a cornerstone. 

Today's increasingly complex technological landscape has made biometric authentication an increasingly challenging process, despite being once hailed as a breakthrough in securing systems where passwords failed to work. As far as fingerprints, facial recognition, and retinal scanners were concerned, they were once considered unique and practically impenetrable, but now deepfake technology has disrupted the perception that these systems are secure. As deepfakes have become more sophisticated, they have been revealing critical flaws in biometric systems that can mimic voices, facial features, and even expressions in real-time.

It is warned that as deepfakes become more common in the business world, organizations will need to adopt additional verification procedures to keep their business environment secure, particularly when conducting sensitive transactions. Approximately one-third of businesses may abandon facial recognition technology altogether by the year 2026, signaling an erosion of trust in biometrics as a whole. In light of the increasing threats from insecure biometrics, organizations must reevaluate their dependence on these technologies and implement robust countermeasures to address them. When stakes continue to rise in cyberspace, it will be imperative to safeguard sensitive systems against exploitation by adapting strategies and implementing layered defenses. 

A significant advancement has been achieved in the field of digital security in the form of the integration of Public Key Infrastructure (PKI) into Multi-Factor Authentication (MFA) systems. In the process of verifying identities through digital certificates, a PKI provides a secure framework for the authentication of users. As cybersecurity threats continue to evolve, PKI's role in enhancing multifactor authentication is gaining prominence. 

PKI guarantees ethe encryption of data transmission and employs digital signatures to guarantee the integrity and authenticity of the data. Based on a study by Orbis Market Reports, it has been projected that PKI will continue to grow in the authentication market, indicating its increasing adoption. Organizations are making progress towards a safer digital environment by combining PKI with adaptive authentication and artificial intelligence. As an integral part of cybersecurity, multifactor authentication plays a critical role, but it is not sufficient by itself to address every risk associated with cybercrime. 

Companies must integrate multifactor authentication with advanced threat detection, ongoing monitoring, and other proactive security measures to build a robust security framework. Layered approaches are essential for combating evolving threats and ensuring comprehensive protection for their systems.
Read more »
Treasury Department
CISA & FBI CybeCrime Cyber Attacks Cyberfraud Cyberhackers Cybersecurity Hackers Treasury Department

Emerging Allegations of Chinese Espionage Targeting US Treasury

 


An alleged hacker named Yin Kecheng and a cybersecurity company called Sichuan Juxinhe Network Technology Co were sanctioned on Friday by the US Treasury Department for involvement in a string of hacks against American telecom companies.

Kecheng is a Shanghai-based cybercriminal with an affiliation with the PRC Ministry of State Security who has been associated with the recent breach of the Department of Treasury's network. An organization called Sichuan Juxinhe, a cybersecurity company based in Sichuan, was directly involved with Salt Typhoon's cyber-attacks. 

PRC-linked Salt Typhoon cyber-espionage activities have resulted in numerous compromises of US telecommunications and internet service provider companies as part of a broad cyber espionage campaign, that has been carried out for several years. As a result of these intrusions, which are known as the Salt Typhoon, a massive number of American call logs have been exposed to Chinese spies, raising alarms in the US intelligence community. 

As far as some lawmakers are concerned, there have been instances where hackers have intercepted conversations with prominent politicians and government officials in the United States. Some lawmakers have described them as the worst hack on a telecom company in American history.

An agency within the U.S. Treasury Department (OFAC) has imposed sanctions on a Chinese cybersecurity firm and a Shanghai-based cyber actor in the wake of the recent compromise of a federal agency that appears to be connected to an organized criminal group known as Salt Typhoon. After the attack, it was revealed that the attackers had targeted the Office of Foreign Assets Control (OFAC) in addition to the Treasury Secretary's Office. 

According to a Washington Post report that cited unidentified US officials, China has been targeting the tools that the US uses to achieve its national security objectives, such as economic sanctions against adversaries, to do so. The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued an update that supports the notion that the attack directly targeted the US's structure that controls foreign economic affairs, supported by an update provided by CISA this week that further supports this theory. 

It has been reported that malicious cyber actors linked to the People's Republic of China (PRC) continue to target U.S. government systems, including the recent cyberattacks on Treasury's information technology (IT) systems, as well as sensitive US critical infrastructure," according to the Treasury. Also, Salt Typhoon, a group that is believed to be linked to the People's Republic of China, has recently allegedly breached nine major telecommunications firms in a huge attack on US critical infrastructure, according to reports. 

As a result of this, Verizon, AT&T, and Lumen Technologies were among the many victims, where threat actors had lurked in their networks for months. The Treasury's announcement is just one in a series of similar actions against Chinese threat actors. The company Integrity Technology Group, based in Beijing, was sanctioned on January 3 for its involvement in a Chinese state hacking group known as Flax Typhoon, which allegedly participated in the hacking. 

It has been reported that in December, another Chinese hacking contractor, Sichuan Silence Information Technology, was subjected to U.S. sanctions after being blacklisted along with an arrest warrant against a Chinese national who is accused of developing a zero-day exploit for Sophos firewalls while employed at Sichuan Silence. 

Aside from the designations, there have been several other steps taken by the Treasury to combat malicious cyber activity originating from Chinese hackers. The agency has previously sanctioned Integrity Technology Group (Flax Typhoon), Sichuan Silence Information Technology Company (Pacific Rim), and Wuhan Xiaoruizhi Science and Technology Company (APT31). A new executive order signed by the Biden administration on Thursday would allow Treasury to extend its authority to sanction anyone complicit in hacking crimes under the extortion laws, indicating the administration's intention to prosecute them more aggressively going forward. 

Treasury is empowered to sanction anyone who, directly or indirectly, enabled hacking, as well as anyone who knowingly uses hacked data for financial gain, under the executive order of January 15, 2011. The director of CISA, in a blog post dated January 15, 2009, wrote that Beijing’s cyber program is very sophisticated and well-resourced, which poses a threat to the critical infrastructure in the United States. 

As Easterly pointed out, the administration has managed to eradicate some Chinese intrusions, however, there is a need for further strengthening cyber security and vigilance across the public and private sectors to reduce threats from these groups. CISA has in response, she said, developed three "lines of effort" aimed at addressing persistent threats and reducing the risk to American citizens. The first step is to exterminate Chinese cyber actors from the victims' networks. There is also the possibility of collaborating on cyber defence with key industry partners in the fields of information technology, communication, and cybersecurity. 

As a final step, cybersecurity services such as CyberSentry, a threat detection capability managed by CISA, can be utilized to reduce the risk of Chinesecybercriminalss posing a threat. In addition to attack surface management, CISA also provides a form of cyber defence that involves identifying and mitigating the technology defects that allow cyber threats to gain an edge, and 7,000 critical service organizations have already used CISA's services. 

Easterly noted that the CISA service was already offered to more than 7,000 organizations that rely on critical services. The attackers are reported to have broken into no less than 400 computers owned by the Treasury, as reported in a recent Bloomberg report and stolen more than 3,500 files. These include documents such as policies and travels, organizational charts, sanctions, and foreign investment materials as well as 'Law Enforcement Sensitive' materials. Additionally, they were able to gain access unauthorized to the computers of Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo, and Acting Under Secretary Bradley T Smith, as well as materials relating to investigations conducted by the Committee on Foreign Investment in the United States. 

Silk Typhoon has been linked to a cluster of Chinese espionage actors known for using Ivanti zero-day vulnerabilities extensively, which has been tracked by Google's Mandiant under the moniker UNC5221 by Mandiant, which is an espionage network owned by Mandiant. Throughout the last year, there have been an increased number of court actions, which led to the arrest of hacking suspect Yin Kecheng in Shanghai and the imposing of sanctions against Sichuan Juxinhe Network Technology Co., LTD, as well as their ability to conduct business in the United States. 

In the first instance, the Treasury Department sanctioned a Beijing-based cybersecurity company that is suspected of being involved in multiple cyberattacks targeting vital infrastructures in the United States earlier this month. U.S. accusations of hacking have been repeatedly denied by the Chinese government, including last month's dispute about the Treasury Department hacking allegations. 

The sanctions announced on Friday do not provide any new details regarding the scope of the hack into the Treasury Department, which the agency said was discovered on December 8. Thus, a third-party software provider, BeyondTrust, has pointed out that hackers were stealing a key that was used by the vendor to secure a cloud-based service that provides remote technical support to workers. This key facilitated the hackers in overriding the security measures of the service and gaining remote access to several employee workstations as a result.
Read more »
Technology
Bitcoin Blockchain Cyberattacks Cyberhackers Cybersecurity CyberThreat Quantum Resistance Solana Technology

Solana Pioneers Quantum Resistance in Blockchain Technology

 


There is no denying that Solana, one of the fastest-growing blockchain networks, has introduced a groundbreaking security feature called the Winternitz Vault. This feature will protect digital assets from quantum computing threats while maintaining the platform's high performance. Solana intends to address the challenges posed by quantum computing proactively to safeguard its users' funds and ensure the longevity of its blockchain infrastructure. 

With the help of a decades-old cryptographic technique, Solana has developed a quantum-resistant vault that uses this technique to protect users' funds from quantum computer attacks. As part of the solution, known as the Solana Winternitz Vault, new keys are generated for every transaction as part of a hash-based signature system. 

The company introduced a system called the "Solana Winternitz Vault" that protects user funds from quantum threats. The vault utilises a hash-based signature system that generates new keys for every transaction, making it highly secure. The chief scientist at Zeus Network, Dean Little, who is also a cryptography researcher, elaborated in a GitHub post that this approach complicates quantum computing and makes it harder for quantum computers to orchestrate coordinated attacks on public keys that are exposed during transactions, diminishing their ability to execute coordinated attacks. Since the vault exists in the current version as an optional feature, rather than as part of the network security upgrade, no fork is in sight. 

As a result, users will need to actively store their funds in Winternitz Vaults instead of regular Solana Wallets if they wish to ensure that their funds remain quantum-proof. Even though the quantum-resistant vault is an optional feature rather than a system-wide requirement, it is important to note that it is still an optional feature. For this enhanced security to be realised, users need to choose to store their funds in the Winternitz Vault rather than the standard Solana wallet. 

The vault's operation includes creating a split-and-refund account system to ensure secure fund transfers while protecting residual balances. The Winternitz Vault, a quantum-resistant solution developed by Solana developers, has been implemented to counter this risk and is based on a cryptographic technique dating back decades. 

As a result of the vault's hash-based signature system, which generates new keys with each transaction, quantum computers are less likely to be able to crack the cryptographic keys because the vault employs a hash-based signature system. Using the Winternitz One-Time Signatures protocol, this vault creates 32 private key scalars that are hashed 256 times. It does not store the entire public key but only its hash for verification purposes. 

It is important to note that every time a transaction is carried out, the vault creates a new set of keys, so no hacker can predict or steal a key before it is used. Solana's Winternitz Vault sets a new benchmark for blockchain security in the face of quantum computing, allowing users to take advantage of the optional tools necessary to protect their digital assets against future threats. 

By implementing this forward-looking strategy, Solana reinforces its commitment to innovation and security that it has always displayed, placing it as a market leader in the blockchain space as quantum computing continues to develop, providing blockchain networks like Solana the flexibility to adapt to new challenges as they arise. It is Solana's goal to stay abreast of such advancements, ensuring its users can be assured that their digital assets can be safeguarded with confidence, regardless of future technological advances. 

Nonetheless, Cornell University researchers have found that breaking an elliptic curve cryptographic key with 160 bits would require approximately 1,000 qubits, which is far more than is currently available. The blockchain industry is still pushing forward despite this. In its beta stage, QAN, for example, claimed it had achieved "quantum hardness," and other protocols have quietly improved their cryptographic foundations. 

In recent years, quantum computing power has been predicted to grow exponentially – a phenomenon known as Neven's Law – and some experts believe that this will happen in the future. This forecast has driven more blockchain developers to implement quantum-resistant solutions, even though full-scale quantum computers are still years or decades away from seriously threatening the current cryptographic standards for coins, tokens, and other applications. Considering quantum resistance as an extra feature for many crypto projects may seem overkill, but Web3 developers are known for always being two steps ahead of the game.

Read more »
Technology
Border Security Force CyberCrime Cyberhackers Cybersecurity Cyberthreats GPS Technology

Rising GPS Interference Threatens Global Aviation and Border Security

 


A recent report by OPS Group, a global aviation safety network, has highlighted a sharp rise in GPS interference across several global conflict zones, including India’s borders with Pakistan and Myanmar. This interference poses significant risks to passenger aircraft flying over these regions, raising serious safety concerns.

Causes of GPS Interference

According to the September report, the increase in GPS interference near borders stems from enhanced security measures and the widespread use of drones for illicit activities. These factors have contributed to the rise of “spoofing,” a cyberattack technique where false GPS signals are transmitted to deceive navigation systems. By manipulating GPS signals, spoofing can create false positions, speeds, or altitudes, leading to impaired navigation accuracy and potential aviation incidents.

To counter these threats, technologies like the Inertial Reference System (IRS) provide an alternative to GPS by calculating positions independently. The IRS offers similar accuracy and is unaffected by signal disruptions, making it a valuable backup for navigation systems in high-risk zones.

India has implemented GPS jamming technologies along its border with Pakistan to enhance security and combat drone-based smuggling operations. These drones, often used to transport narcotics, weapons, and counterfeit currency, have become a growing concern. Reports indicate that GPS interference in the region has reached levels of 10%, significantly hindering illegal drone activity. The Border Security Force (BSF) has recovered a range of contraband, including narcotics and small arms, thanks to these efforts.

Drone activity has surged in recent years, particularly along the India-Pakistan border. In Punjab alone, sightings increased from 48 in 2020 to 267 in 2022, accounting for over 83% of reported drone activities along this border. The eastern border has also seen a rise in drone use for smuggling gold, exotic wildlife, and other contraband from Myanmar and Bangladesh. While effective against drones, GPS jamming can inadvertently impact civilian navigation systems, affecting vehicle and aircraft operations in the vicinity.

Global Aviation Safety Concerns

The issue of GPS interference extends beyond border security and affects global aviation. During this year’s 14th Air Navigation Conference held by the International Civil Aviation Organization (ICAO) in Montreal, delegates addressed the growing risks posed by interference with the Global Navigation Satellite System (GNSS). Such disruptions can compromise the accuracy of aircraft positioning and navigation systems, raising safety concerns.

To mitigate these risks, the conference proposed measures such as enhanced communication between stakeholders, improved information-sharing mechanisms, and the establishment of a global contingency plan for GNSS signal outages. These initiatives aim to reduce the impact of GPS interference on aviation safety and ensure continuity in navigation services.

The rising prevalence of GPS interference underscores the need for robust countermeasures and international collaboration. While advancements in jamming technologies and alternative navigation systems address immediate threats, a long-term strategy focused on securing navigation infrastructure and mitigating interference is essential for safeguarding both national security and global aviation operations.

Read more »
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Four-Fait Routers VulnCheck Vulnerabilities and Exploits

Critical Security Issue Hits Four-Faith Routers

 


According to VulnCheck, a critical vulnerability identified as CVE-2024-12856 has been discovered in Four-Faith industrial routers, specifically affecting the F3x24 and F3x36 models, as well as users’ machines. Evidence suggests active exploitation of this vulnerability in the wild, raising significant security concerns for industrial and enterprise users. The flaw resides in the router’s system time adjustment function, where a post-authentication vulnerability allows attackers to execute remote commands on compromised devices.

Technical Details of the Vulnerability

The routers, running firmware version 2.0, are susceptible to an authenticated remote command execution flaw via the HTTP endpoint apply.cgi. Attackers can manipulate the system time parameter using POST requests, enabling arbitrary command execution. Additionally, the firmware is configured with default credentials that, if left unchanged, can escalate the vulnerability to allow unauthenticated remote OS command injection.

Data provided by VulnCheck indicates that approximately 15,000 internet-facing routers may be affected by this issue. Exploitation campaigns have been observed since at least November 2024, with attackers altering system parameters remotely. The attacks appear to originate from multiple IP addresses and utilize Mirai-like payloads to compromise the devices. VulnCheck notes that some payloads share similarities with those used to exploit a prior vulnerability (CVE-2019-12168), although the underlying components differ.

Security researchers have identified attack patterns involving two primary IP addresses, including 178.215.238.91, as sources of active exploitation campaigns. User-Agent strings from these attacks match earlier campaigns documented in November 2024, with new payload variations targeting the identified flaw. While the attacks remain low-scale, they demonstrate a high level of persistence.

Censys data corroborates VulnCheck’s findings, suggesting that the vulnerability has been exploited consistently since its initial observation. Despite this, an official from Bains, speaking to The Hacker News, emphasized that the attacks are not widespread and appear to involve a small number of attackers using spamming techniques at a low frequency.

Mitigation Recommendations

As of now, there is no confirmation regarding the availability of security patches for the affected firmware. VulnCheck disclosed the vulnerability to Four-Faith on December 20, 2024, and awaits a response. In the interim, researchers strongly advise users to take the following measures to mitigate potential risks:

  • Immediately change default credentials on affected devices.
  • Restrict network exposure by placing routers behind firewalls or VPNs.
  • Monitor device activity for unusual or unauthorized behavior.
  • Implement detection rules, such as the Suricata rule provided by VulnCheck, to identify suspicious HTTP POST requests indicative of the attack.

Impact and Implications

By exploiting this vulnerability, attackers can gain full control over affected devices, including executing reverse shell commands to maintain persistent access while concealing their identities. Such control poses a severe threat to organizations reliant on Four-Faith routers for critical operations.

The absence of immediate patches has prompted security researchers to highlight the importance of adopting proactive measures. Organizations are advised to strengthen their defenses against suspicious activity while awaiting updates from Four-Faith. VulnCheck, adhering to responsible disclosure policies, has withheld additional technical details and information about patches until a response from the manufacturer is received.

This incident underscores the critical need for robust firmware security practices, including eliminating default credentials and ensuring timely patch management, to protect against emerging threats in industrial environments.

Read more »
Online Store Security
Cyberattacks CyberCrime Cyberfrauds Cyberhackers Cybersecurity CyberThreat JavaScript malware Online Store Security

Cyberattack Compromises European Space Agency Online Store Security

 


A malware attack on the European Space Agency's official web shop revealed that the application was hacked by loading a JavaScript script that generated a fake Stripe payment page at checkout. With an annual budget of more than 10 billion euros, the European Space Agency (ESA) is dedicated to extending the boundaries of space activity through the training of astronauts and the development of rockets and satellites for exploring our universe's mysteries. 

Thousands of people were put at risk of wire fraud after the European Space Agency (ESA) website was compromised due to the recent exploitation of a credit card skimmer, which was found to be malicious on ESA's webshop. According to researchers from Sansec, the script creates a fake Stripe payment page when the customer is at checkout, which collects information from the customer. 

As a result of the fake payment page being served directly from ESA's web shop, which mimicked an authentic Stripe interface, it appeared authentic to unsuspecting users, who were unaware of the fraudulent payment process. According to Source Defense Research, screenshots of the malicious payment page were provided alongside the real one in the post, but this attack took advantage of domain spoofing with a different top-level domain to exploit domain spoofing, using a nearly identical domain name for the attack. 

The official shop of the European Space Agency is located under the domain "esaspaceshop.com," but the attackers used the domain "esaspaceshop.pics" to deceive visitors. Sansec, who flagged the incident, emphasized that the integration of the webshop with ESA's internal systems could significantly increase the risks for both employees and customers of the agency. 

An examination of the malicious script revealed that its HTML code was obscured, which facilitated detection as well as the theft of sensitive payment information, as it contained obfuscated HTML code derived from the legitimate Stripe SDK. The malicious code was created to create a convincing fake Stripe payment interface that looked legitimate because it was hosted by the official ESA web store domain. 

Although the fake payment page was removed, researchers discovered that the malicious script remained in the source code of the site. As of today, the ESA website has been taken offline, displaying a message indicating it has been taken out of orbit for an extended period. The agency clarified that this store is not hosted by its infrastructure, and they do not manage its associated data. 

As confirmed by whois lookup records indicating different ownership between the main domain of ESA (esa.int) and the compromised web store, it is not known exactly how many customers were affected by the breach, nor what financial impact it had. According to ESA's website, the company is well known for its role in astronaut training and satellite launches. However, it has not yet provided details as to how it intends to strengthen its online security measures after the incident occurred. 

A recent cyberattack on well-respected institutions shows just how vulnerable they can be to cyber attacks, especially when their e-commerce systems are integrated into a broader organization's network. According to cybersecurity experts, e-commerce platforms are urged to prioritize robust security protocols to prevent similar incidents from occurring in the future. This can erode customer trust and result in significant financial consequences. 

The past few months have seen an increase in cyberattacks targeting e-commerce platforms, with criminals using digital skimming methods to steal payment information. Earlier in August 2024, Malwarebytes reported that it had infiltrated Magento-based e-commerce platforms with skimmer code, exposing sensitive customer information, such as credit card numbers, by November 2024, as described by Malwarebytes. 

Sucuri discovered several PHP-based skimmers, such as Smilodon, harvesting payment data covertly. Although these skimmers were highly obfuscated, their detection was significantly hindered. Finland's Cybersecurity Centre reported in December 2024 that skimming attacks were on the rise, where malicious code embedded on payment pages was used to steal credit card information. Those developments highlight the crucial need for e-commerce platforms to implement robust security measures to ensure their customers' data is protected from unauthorized access. 

It is still unclear who was responsible for these attacks, but Magecart, one of the most infamous threat groups around, has been previously linked to similar activities, including installing credit card skimmers on prominent websites, which are typical of such attacks. During March 2023, Malwarebytes speculated that this group was involved in an extensive series of attacks targeting multiple online retailers, but this was not the first mention of the group. 

The majority of victims of credit card fraud that results from such breaches can receive refunds from their banks. Cybercriminals, however, use the stolen funds to finance malicious campaigns, including malware distribution. Likely, significant damage has already been done by the time the affected cards are locked and the funds are returned, even though the stolen funds can be used to finance fraudulent campaigns.
Read more »
Privacy
Camera Security Breach. Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Theft Privacy

Thousands of Users Exposed by Flawed Camera Streaming App

 


A Cybernews research team discovered a huge exposed data server on June 25th. The server contained 3GB of personal information and telemetry from iPhones equipped with an app known as "Home V." According to the log samples, the data is related to the Home V app, which is used to manage Virtavo security cameras. Elasticsearch, a data analytics and search engine, was exposed by an unsecured server that provided logs containing phone numbers, device identifiers, IP addresses, and firmware versions, among other details about the devices, the network, and the users. 

It has been suspected that these logs were diagnostic reports, which were updated in real-time and appear to have been used for performance monitoring or troubleshooting. As a result of the server's malfunction, more than 8.7 million records were left on the server. Several snapshots were duplicates and for some unique identifiers, there was an appearance of up to 50 snapshots at the same time. In a study, researchers estimated that over 100,000 unique users could be affected, while cybersecurity researchers were able to find an exposed data server that contained 3GB of personal information and was capable of receiving telemetry from iOS devices. 

During the summer of 2023, all the information in the world had one thing in common: it was generated by an app called Home V, which managed Virtavo security cameras. These cameras were capable of streaming videos, playing back videos, communicating with each other, receiving motion alerts, etc. However, indoor surveillance cameras are vulnerable to hacking techniques, which can pose significant security risks due to their vulnerability. Many wireless cameras are pre-configured with usernames such as "admin" and passwords which are easily guessable, such as "admin," "888888," or "123456", which is a common vulnerability. 

When cyber attackers try to gain unauthorized access to online cameras by scanning their cameras and attempting to use these standard login details, they exploit these weak credentials. This can be addressed by implementing a password manager, which will generate and store strong, unique passwords to prevent these attacks. Password security is a significant concern for many people, especially when transmitting unencrypted data. 

Even though users can update a camera's password, some devices still transmit this information unencrypted over the internet. Consequently, they may be able to be intercepted by attackers and then used to access the camera if they have the stolen information. It is also possible that the Wi-Fi password is transmitted unencrypted in some cases, further undermining your network's security. In particular, one of the most severe threats is the possibility of a full camera takeover, in which attackers gain access to the device at the root level. 

ith this level of access, attackers can fully control the camera. As a result of such an attack, the surveillance camera can be turned into a tool for further malicious activities if it is tampered with, its settings are altered, and it can even be installed with malware. To minimize these risks, users must make sure that they take steps to ensure that their security systems are protected by strong passwords, encrypting their data and staying abreast of potential vulnerabilities. 

The exposed logs contained a wide range of critical information regarding the user and the device, raising concerns about data security and privacy. Among other things, the information also contained information regarding the device and software, such as the version of the app, the device model (e.g., iPhone12,5, which corresponds to the iPhone 11 Pro Max), the operating system, the firmware version, as well as details regarding video decoding, including the use of video decoding software such as "VideoTool Box" to decode H.264 files. 

 As part of the project, information related to the user’s network was collected, including their country code (e.g., CN for China), their IP address which identified the server's physical location, their connection type, such as “cellular,” and information about the network operator and settings. It was also revealed that the data contained unique user identifiers, such as user accounts linked to phone numbers or email addresses, as well as unique user identifiers (User IDs and UUIDs), and numeric device identifiers, which were all part of the exposed data. 

It is also possible to measure performance metrics, such as how fast the video frame is decoded at the beginning of the video stream, which reflects video playback speed, as well as how strong the WiFi signal is, even if the connection type is cellular. The log entries were also accompanied by timestamps which indicated when they were created, server codes that could identify servers that handled the requests (e.g., "sh" might indicate Shanghai for example), and the time zone offset of the device or server. 

As a result of the comprehensive nature of this data, it becomes increasingly evident that users are exposed to a large amount of sensitive information, and robust security measures are essential to protect it. In general, various data protection laws require businesses to limit data collection through data minimization and purpose limitation – in other words, they must collect only the amount of data necessary to achieve a specific objective. 

Additionally, organizations are required to obtain express consent from individuals and to provide transparency on how the data is utilized, otherwise, the exposure of user information could result in non-compliance and legal penalties. It appears the application collects a considerable amount of information beyond what is actually required to perform the application's basic functions, raising questions about whether data minimization is following data protection laws," the researchers wrote in their report.
Read more »
Cybersecurity
Crypto Hacks cryptocurrency Cryptocurrency Breach Cyber Fraud CyberCrime Cyberhackers Cybersecurity

Global Crypto Hacks Escalate to $2.2 Billion in 2024

 


Chainalysis, a blockchain analytics company that provides data analysis on the blockchain ecosystem, has reported that the volume of compromised crypto funds and the number of hacking incidents are set to rise in 2024. The report states that the total amount of stolen crypto funds rose by approximately 21.07% year-over-year (YoY), reaching $2.2 billion over the period. It also reports that the number of individual cyber-attacks increased from 282 in 2023 to 303 incidents in 2024, an increase of 34 per cent. 

During its report this year, Chainalysis noted that hackers also increasingly target centralized services such as cryptocurrency exchanges. In addition to Bitcoin's 140% increase in value this year surpassing $100,000, the rise in crypto heists also coincides with the institutional support of U.S. President-elect Donald Trump. There have been 303 hacking incidents so far in 2023, compared to 282 in 2023 and 1.8 billion dollars, but that’s only about Rs. 15,302 crores, which means hackers stole 1.8 billion dollars (roughly Rs. 15,302 crores) in 2023, according to the report. 

There has been an increase in crypto heists as the value of Bitcoin reached $100,000 (roughly Rs. 85 lakh) this year, and it has drawn institutional support and backing from US President-elect Donald Trump, who has become one of the biggest supporters of the digital currency. It is noted that DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, but centralized services were more likely to be hacked during the second and third quarters. 

According to Chainalysis' report, several notable hacks of centralized services occurred, such as the hack of DMM Bitcoin in May 2024, which cost $305 million, and WazirX in July 2024, which cost $234.9 million. The WazirX hack in July of this year resulted in huge losses for the Indian cryptocurrency exchange, which has responded by stopping users from withdrawing their remaining cryptocurrency and is currently requesting a reorganization in Singapore. 

In addition, the Chainalysis report noted that North Korean hackers continue to try to steal cryptocurrency, particularly to avoid sanctions, as well as that the North Korean hackers are continuing to conduct cyber-attacks. As the industry faces an increasingly challenging environment in the new year, the industry has a lot of work to do to fight the proliferation of such crimes, especially fraud, that will undoubtedly pose a key challenge. 

Several reports concluded that the majority of the stolen crypto this year resulted from compromised private keys that control access to users' assets. A majority of the attacks targeted centralized platforms. There were several notable hacks during the past year. The most significant ones were the theft of $305 million from Japan's DMM Bitcoin in May, and the loss of $235 million from India's WazirX in July. According to Chainalysis, North Korea-related crypto hacking increased by more than double from a year ago to 1.3 billion dollars in 2024, which is a record.
Read more »
Technology
Cyberattacks CyberCrime Cyberhackers Cybersecurity Google Google Docs Microsoft Word Proton Docs Technology

Proton Docs vs Google Docs in the Productivity Space

 


For those who are concerned about privacy, Proton has announced an end-to-end encrypted document editor intended to be a viable alternative to Microsoft Word and Google Docs. This application, released on Wednesday by the Swiss software vendor best known for its encrypted email app, provides office workers with many document creation features they might use in their daily work.

Swiss-based and privacy-conscious Proton is now focusing on cloud-based document editing as it has built up its email, VPN, cloud storage, password manager, and cloud storage offerings. Proton Docs, a newly launched service that offers an array of features and privacy protections, might be just what users need to make it work for them.

With regards to its user interface and user experience, Proton Docs draws inspiration from Google Docs while also introducing its distinctive twists. In addition to its clean, minimalist design, Proton Docs has a central focus on the document, and users can find familiar functions with icons at the top representing the common formatting options (such as bold, italics, headings, and lists).

However, the top of the screen does not have a dedicated menu bar, and all options can be found in the default toolbar. Proton Docs keeps a very similar layout to Google Docs and, therefore, if someone is transitioning from Google Docs to Proton Docs, they should not have any problems getting started with their drafts right away. The work that was done by Proton was excellent.

A lot of the basic features of Proton Docs are similar to those of Google Docs, and the first thing users will notice is that the application looks very much like Google Docs: white pages with a formatting toolbar up top, and a cursor at the top that displays who is in the document as well as a cursor to clear the document at the top. The fact is that this isn’t particularly surprising for a couple of reasons.

First of all, Google Docs is extremely popular, and the options for styling a document editor are not that many. In other words, Proton Docs has been created in large part to offer all the benefits of Google Docs, just without Google. Docs are launching inside Proton Drive today, and as part of the privacy-focused suite of work tools offered by Proton, it will be the latest addition.

It has become clear that Proton has expanded its offering from email to include a calendar, a file storage system, a password manager, and more since it began as an email client. Adding Docs to the company's ecosystem seems like a wise move since it aims to compete against Microsoft Office and Google Workspace, and it was coming soon after Proton acquired Standard Notes in April.

According to Proton PR manager Will Moore, Notes would not disappear — Docs is borrowing some of its features instead. Proton Docs is a full-featured, end-to-end encrypted word processor with the ability to store files and even its users' keys (keystrokes and cursor movements) end-to-end encrypted, so that no one, including Proton staff, will be able to access any of the users' files (not even the users). This makes it much more difficult for hackers and data breaches to access the files, thereby making them more secure. There has been a lack of improvement in this area in Proton Docs.

However, even though it is part of the growing portfolio of the company, it does not fully integrate with its existing platform. There is no ability to access calendars and contacts from the sidebar like Google Docs, and it does not have the same functionality as Google Pages. Additionally, there is no easy way for users to import existing documents, files, or media from a Proton Drive account directly into the application.

In contrast, Google Docs provides the convenience of typing an "@" followed by the name of a file from users' Google Drive account and inserting the document from there as soon as they click the hyperlink. A feature such as this is particularly useful when a document needs to include multiple files in addition to the document itself. A second advantage of Proton Docs is the use of Swiss cloud servers, which provide storage of users' data on Proton Docs' servers in Switzerland.

It is thanks to the strict Swiss laws that protect the information stored on these servers that they cannot be accessed by regulatory authorities in regions like the European Union and the United States. A new feature known as Proton Docs is scheduled to be rolled out to Proton Drive customers starting today, with the ability to access the feature expected to be available to everyone within the next few days, as per Proton.

Powered by the Proton Drive platform, Proton Drive operates on a freemium model with individual subscriptions to the platform costing as little as €10 per month (approximately $10.80 when billed annually). The monthly subscription fee for Proton for Business is €7 per user per month and can be purchased in any amount.

Read more »
SEV
Advantech vulnerabilities Cyber Privacy Cyber Technology Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Breach Data protection nAMD System SEV

AMD Systems Vulnerability Could Threaten Encrypted Data Protection

 


There has been an announcement of a new technique for bypassing key security protections used in AMD chips to gain access to the clients of those services. Researchers believe that hackers will be able to spy on clients through physical access to cloud computing environments. Known as the "badRAM" security flaw, it has been described as a $10 hack that undermines the trust that the cloud has in it. 

This vulnerability was announced on Tuesday. Like other branded vulnerabilities, this vulnerability is being disclosed on a website with a logo and will be explained in a paper to be presented at next May's IEEE Symposium on Security and Privacy 2025. 

There is an increasing use of encryption in today's computers to protect sensitive data in their DRAM, especially in shared cloud environments with multiple data breaches and insider threats, which are commonplace. The Secure Encrypted Virtualization (SEV) technology of AMD enables users to protect privacy and trust in cloud computing by encrypting the memory of virtual machines (VMs) and isolating them from advanced attackers, including those who compromise critical infrastructure like the virtual machine manager and firmware, which is a cutting-edge technology. 

According to researchers, AMD's Secure Encrypted Virtualization (SEV) program, which protects processor memory from prying eyes in virtual machine (VM) environments, is capable of being tricked into letting someone access the contents of its encrypted memory using a test rig which costs less than $10 and does not require additional hardware. It is important to note that AMD is among the first companies to leverage the capabilities of chipset architecture to improve processor performance, efficiency, and flexibility. 

It has been instrumental in extending and building upon Moore's Law performance gains and extending them further. As a result of the firm's research, performance gains under Moore's Law have been extended and built upon, and the company announced in 2018 that the first processor would have a chipset-based x86 CPU design that was available. Researchers at the University of Lübeck, KU Leven, and the University of Birmingham have proposed a conceptually easy and cheap attack called “BadRAM”. 

It consists of a rogue memory module used to trick the CPU into believing that it has more memory than it does. Using this rogue memory module, you get it to write its supposedly secret memory contents into a "ghost" space that is supposed to contain the hidden memory contents. In order to accomplish this task, researchers used a test rig anyone could afford to buy, composed of a Raspberry Pi Pico, which costs a couple of dollars, and a DIMM socket for DDR4/5 RAM modules. 

The first thing they did was manipulate the serial presence detection (SPD) chip within the memory module so that it would misreport the amount of memory onboard when the device was booted up – the “BadRAM” attack. Using reverse engineering techniques to locate these memory aliases, they had access to memory contents by bypassing the system's trusted execution environment (TEE), as this created two physical addresses referencing the same DRAM location. 

According to the CVE description, the issue results from improper input validation of DIM SPD metadata, which could potentially allow an attacker with certain access levels to overwrite guest memory, as the issue is described as a result of improper input validation. It has been deemed a medium severity threat on the CVSS, receiving a 5.3 rating owing to the high level of access that a potential attacker would need to engage to successfully exploit the problem. 

According to AMD, the issue may be a memory implementation issue rather than a product vulnerability, and the barriers to committing the attack are a lot higher than they would be if it were a software product vulnerability. AMD was informed of the vulnerability by the researchers in February, which has been dubbed CVE-2024-21944, as well as relates specifically to the company’s third and fourth-generation EPYC enterprise processors. According to AMD’s advisory, the recommendation is to use memory modules that lock SPD and to follow physical security best practices. 

A firmware update has also been issued, although each OEM's BIOS is different, according to AMD. As the company has stated on several occasions, it will make mitigations more prominent in the system; there is specific information on the condition of a Host OS/Hypervisor, and there is also information available on the condition of a Virtual Machine (Guest) to indicate that mitigation has been applied.

The AMD company has provided an in-depth explanation of the types of access an attacker would need to exploit this issue in a statement given to ITPro, advising clients to follow some mitigation strategies to prevent the problem from becoming a problem. The badRAM website states that this kind of tampering may occur in several ways — either through corrupt or hostile employees at cloud providers or by law enforcement officers with physical access to the computer. 

In addition, the badRAM bug may also be exploited remotely, although the AMD memory modules are not included in this process. All manufacturers, however, that fail to lock the SPD chip in their memory modules, will be at risk of being able to modify their modules after boot as a result of operating system software, and thus by remote hackers who can control them remotely. 

According to Recorded Future News, Oswald has said that there has been no evidence of this vulnerability being exploited in the wild. However, the team discovered that Intel chips already had mitigations against badRAM attacks. They could not test Arm's modules because they were unavailable commercially. An international consortium of experts led by researchers from KU Leuven in Belgium; the University of Luebeck in Germany; and the University of Birmingham in the United Kingdom conducted the research.
Read more »
Verizon
AT&T Chinese Hackers Cybbercrime Cyber Attacks Cyberhackers Cyberthreatm Salt Typhoon Hacks FBI Verizon

Salt Typhoon Hack: A Grave Threat to U.S. Telecommunications

 


The Chinese state-sponsored hacking group Salt Typhoon has been implicated in one of the most severe breaches in U.S. telecommunications history. Sensitive information, including call logs, timestamps, phone numbers, and location data, was compromised across the networks of at least eight major telecom carriers, including AT&T and Verizon. Despite the scale of the intrusion, many affected consumers remain uninformed about the breach.

Scope and Impact of the Breach

According to reports, Salt Typhoon’s hacking campaign has targeted high-value intelligence figures, including presidential candidates Donald Trump and Kamala Harris, as well as Senator Chuck Schumer's office. The FBI estimates that millions of users’ metadata, particularly in the Washington, D.C., area, were accessed. Yet, most affected individuals have not been notified, raising serious privacy concerns.

AT&T and Verizon, the most severely impacted companies, have faced backlash for their limited response to the breach. Privacy groups have criticized the telecom giants for failing to comply with the Federal Communications Commission (FCC) mandate requiring companies to inform customers of breaches that could cause significant harm, such as identity theft or financial loss.

Telecom Industry’s Response

While high-value targets were promptly alerted, the majority of users whose data was compromised were not informed. In an interview with NBC, Alan Butler, executive director of the Electronic Privacy Information Center, condemned the carriers’ "deficient practices." He emphasized the need for transparency, urging companies to notify all affected customers, regardless of whether their metadata or the actual content of their communications was accessed.

Charter Communications, a midsize internet service provider, has taken a relatively open approach, acknowledging infiltration by Salt Typhoon. According to Chief Security Officer Jeff Simon, access by the hackers has since been cut off, and no customer information was reportedly accessed. In contrast, other companies like Lumen, another internet service provider, have downplayed or refused to disclose the extent of the breach.

Ongoing Threats and Legislative Action

Cybersecurity experts warn that Salt Typhoon continues to target U.S. telecom networks and IT infrastructure. Government agencies are closely monitoring the situation to mitigate further risks. Lawmakers are now considering stricter cybersecurity regulations to compel telecom companies to adopt robust practices and provide detailed breach notifications to consumers.

However, some companies targeted by Salt Typhoon claim the hackers did not gain substantial information. For example, Lumen stated that federal partners found no evidence of ongoing activity in its networks.

Consumer Awareness and Future Outlook

While telecom companies have yet to adequately address these breaches, consumers must stay informed about security risks by following news updates on data breaches. Public pressure is likely to drive industry-wide changes, prompting carriers like AT&T and Verizon to adopt comprehensive notification systems for all affected users.

The Salt Typhoon breach serves as a wake-up call for the telecommunications industry to prioritize data security. Enhanced transparency, stricter cybersecurity regulations, and informed decision-making will be crucial to safeguarding sensitive information in an increasingly digital world.

Read more »
WInnti Hackers
Chinese Cyber Threat Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat Glutton PHP Backdoors WInnti Hackers

Rising Tactics of Winnti Hackers Include Deploying Glutton PHP Backdoors

 


In the past few months, researchers at a Chinese cybersecurity firm have been responsible for the discovery of an advanced PHP backdoor that supports Winnti, a group linked to Chinese cybercrime that is launching increasingly sophisticated attacks. Research has been conducted into the use of a PHP-based backdoor called Glutton, which has been used by cyber criminals to target China, Japan, the Republic of Korea, Cambodia, Pakistan, and South Africa through cyber attacks. 

As early as late April 2024, the Chinese nation-state group set up by Winnti (aka APT41), which has roots in North Korea, discovered malicious activity in a network from the Chinese nation-state group Chongqing Henchmen. The company also disclosed that its investigation revealed that Glutton's creators deliberately targeted systems within the cybercrime market with their tools to create malware. They poisoned operations intending to turn cybercriminals' tools against them, similar to the classic scenario from the movie.

The Winnti hacking group, sometimes referred to as APT41 is a notorious state-sponsored group known for conducting cyber espionage and financial fraud campaigns on behalf of the Chinese government. When the group appeared on the scene in 2012, it focused mostly on organizations involved in gaming, pharmaceuticals, and telecommunications, though it also attacked political organizations and government agencies. A modular backdoor made up of ELF modules, Glotto provides flexibility to craft tailored attacks to meet the attacker's specific needs. Several key components make up this malware: task_loader, which assesses the environment; init_task, which installs the backdoor; client_loader, which obfuscates the application; and client_task, which manages PHP backdoor operations and communicates with the command-and-control (C2) server. 

Through fileless execution, the malware runs entirely within PHP or PHP-FPM processes and injects malicious code into PHP files within popular frameworks such as ThinkPHP, Yii, Laravel, and Dedecms, thereby achieving stealth. Glutton maintains persistence in the system by modifying system files including those in the init[.]d network section and those in the Baota panel, allowing it to steal credentials and maintain a foothold on the system. 

By using a modular approach to code, Glutton can function without leaving traditional digital footprints behind, because all code execution is carried out within PHP, and there is a feature called PHP-FPM (FastCGI) that is used to optimize PHP process handling on web servers, which ensures that no files are left behind and that the backdoor remains undetected until it is discovered.  There are several PHP frameworks that Glutton can exploit to extract data or inject malicious code into widely used PHP frameworks, including Baota, ThinkPHP, Yii, and Laravel, when deployed with Glutton. 

It was in December 2023, when researchers traced the unusual activity to an IP address that was distributing a backdoor which targeted Unix-like operating systems, also commonly known as ELF-based malware, that researchers first discovered that Glutton was a backdoor. Further research revealed that the ELF-based malware also contained a malicious PHP file. Researchers uncovered a network of malicious PHP payloads connected to a network of malicious PHP payloads, revealing a complex attack infrastructure.

Researchers have indicated that the malware has a connection with Winnti’s historical activities, but they point out that there are several shortcomings when it comes to stealth and execution, which are uncharacteristically underwhelming for an APT group. Even though Winnti's behaviour normally does not include plaintext PHP samples and simplistic C2 communication protocols, the researchers believe that Winnti is the one responsible for the malware with some degree of confidence. The researchers also pointed out that Winnti "deliberately targeted systems within the cybercrime market" to spread the malware to as many targets as possible.

According to XLab researchers, Winnti "deliberately targeted systems within the cybercrime market" to help spread its virus as far as possible, but that was not the case.  Recent research has consistently shown that threat actors piggyback on each other’s infrastructure to exploit their vulnerabilities. In a report published by Microsoft, it was found that Turla, an APT group linked to the Russian government, has been running its operations using infrastructure previously set up by other APT groups or cybercriminals. 

In addition to being a fully functional backdoor, the PHP backdoor is also able to execute 22 unique commands, including switching C2 connections to UDP from TCP, launching a shell, downloading and uploading files, performing file and directory operations, and running arbitrary PHP code. Additionally, this framework provides the ability to periodically poll the C2 server for more PHP payloads, allowing for the retrieval and execution of more PHP payloads. According to XLab, these payloads are highly modular, capable of being executed independently by the payload module or sequentially by the task_loader module, providing a comprehensive framework to execute attacks, independently. 

There is no file payload left behind, ensuring no files or data are left behind after code execution, which ensures a completely stealthy footprint since all the code is executed within PHP or PHP-FPM (FastCGI) processes. In addition to this, HackBrowserData is also being used by cybercrime operators to steal sensitive information to inform future phishing or social engineering campaigns in the future. This tool can be used on any system used by a cybercriminal to steal sensitive information.
Read more »
TOUXtract Exploits
AI Models Cyber Researchers Cyberattacks CyberCrime Cyberhackers Cyberthreats Technology TOUXtract Exploits

AI Models at Risk from TPUXtract Exploit

 


A team of researchers has demonstrated that it is possible to steal an artificial intelligence (AI) model without actually gaining access to the device that is running the model. The uniqueness of the technique lies in the fact that it works efficiently even if the thief may not have any prior knowledge as to how the AI works in the first place, or how the computer is structured. 

According to North Carolina State University's Department of Electrical and Computer Engineering, the method is known as TPUXtract, and it is a product of their department. With the help of a team of four scientists, who used high-end equipment and a technique known as "online template-building", they were able to deduce the hyperparameters of a convolutional neural network (CNN) running on Google Edge Tensor Processing Unit (TPU), which is the settings that define its structure and behaviour, with a 99.91% accuracy rate. 

The TPUXtract is an advanced side-channel attack technique devised by researchers at the North Carolina State University, designed to protect servers from attacks. A convolutional neural network (CNN) running on a Google Edge Tensor Processing Unit (TPU) is targeted in the attack, and electromagnetic signals are exploited to extract hyperparameters and configurations of the model without the need for previous knowledge of its architecture and software. 

A significant risk to the security of AI models and the integrity of intellectual property is posed by these types of attacks, which manifest themselves across three distinct phases, each of which is based on advanced methods to compromise the AI models' integrity. Attackers in the Profiling Phase observe and capture side-channel emissions produced by the target TPU as it processes known input data as part of the Profiling Phase. As a result, they have been able to decode unique patterns which correspond to specific operations such as convolutional layers and activation functions by using advanced methods like Differential Power Analysis (DPA) and Cache Timing Analysis. 

The Reconstruction Phase begins with the extraction and analysis of these patterns, and they are meticulously matched to known processing behaviours This enables adversaries to make an inference about the architecture of the AI model, including the layers that have been configured, the connections made, and the parameters that are relevant such as weight and bias. Through a series of repeated simulations and output comparisons, they can refine their understanding of the model in a way that enables precise reconstruction of the original model. 

Finally, the Validation Phase ensures that the replicated model is accurate. During the testing process, it is subject to rigorous testing with fresh inputs to ensure that it performs similarly to that of the original, thus providing reliable proof of its success. The threat that TPUXtract poses to intellectual property (IP) is composed of the fact that it enables attackers to steal and duplicate artificial intelligence models, bypassing the significant resources that are needed to develop them.

The competition could recreate and mimic models such as ChatGPT without having to invest in costly infrastructure or train their employees. In addition to IP theft, TPUXtract exposed cybersecurity risks by revealing an AI model's structure that provided visibility into its development and capabilities. This information could be used to identify vulnerabilities and enable cyberattacks, as well as expose sensitive data from a variety of industries, including healthcare and automotive.

Further, the attack requires specific equipment, such as a Riscure Electromagnetic Probe Station, high-sensitivity probes, and Picoscope oscilloscope, so only well-funded groups, for example, corporate competitors or state-sponsored actors, can execute it. As a result of the technical and financial requirements for the attack, it can only be executed by well-funded groups. With the understanding that any electronic device will emit electromagnetic radiation as a byproduct of its operations, the nature and composition of that radiation will be affected by what the device does. 

To conduct their experiments, the researchers placed an EM probe on top of the TPU after removing any obstructions such as cooling fans and centring it over the part of the chip emitting the strongest electromagnetic signals. The machine then emitted signals as a result of input data, and the signals were recorded. The researchers used the Google Edge TPU for this demonstration because it is a commercially available chip that is widely used to run AI models on edge devices meaning devices utilized by end users in the field, as opposed to AI systems that are used for database applications. During the demonstration, electromagnetic signals were monitored as a part of the technique used to conduct the demonstration.

A TPU chip was placed on top of a probe that was used by researchers to determine the structure and layer details of an AI model by recording changes in the electromagnetic field of the TPU during AI processing. The probe provided real-time data about changes in the electromagnetic field of the TPU during AI processing. To verify the model's electromagnetic signature, the researchers compared it to other signatures made by AI models made on a similar device - in this case, another Google Edge TPU. Using this technique, Kurian says, AI models can be stolen from a variety of different devices, including smartphones, tablets and computers. 

The attacker should be able to use this technique as long as they know the device from which they want to steal, have access to it while it is running an AI model, and have access to another device with similar specifications According to Kurian, the electromagnetic data from the sensor is essentially a ‘signature’ of the way AI processes information. There is a lot of work that goes into pulling off TPUXtract. The process not only requires a great deal of technical expertise, but it also requires a great deal of expensive and niche equipment as well. To scan the chip's surface, NCSU researchers used a Riscure EM probe station equipped with a motorized XYZ table, and a high-sensitivity electromagnetic probe to capture the weak signals emanating from it. 

It is said that the traces were recorded using a Picoscope 6000E oscilloscope, and Riscure's icWaves FPGA device aligned them in real-time, and the icWaves transceiver translated and filtered out the irrelevant signals using bandpass filters and AM/FM demodulation, respectively. While this may seem difficult and costly for a hacker to do on their own, Kurian explains, "It is possible for a rival company to do this within a couple of days, regardless of how difficult and expensive it will be. 

Taking the threat of TPUXtract into account, this model poses a formidable challenge to AI model security, highlighting the importance of proactive measures. As an organization, it is crucial to understand how such attacks work, implement robust defences, and ensure that they can safeguard their intellectual property while maintaining trust in their artificial intelligence systems. The AI and cybersecurity communities must learn continuously and collaborate to stay ahead of the changing threats as they arise.
Read more »
Subscribe to: Posts (Atom)