Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberthreats. Show all posts
Technology
AGI AI Artificial Intelligence CyberCrime Cybersecurity Cyberthreats Human Level Intelligence OpenAI Technology

OpenAI's O3 Achieves Breakthrough in Artificial General Intelligence

 



 
In recent times, the rapid development of artificial intelligence took a significant turn when OpenAI introduced its O3 model, a system demonstrating human-level performance on tests designed to measure “general intelligence.” This achievement has reignited discussions on artificial intelligence, with a focus on understanding what makes O3 unique and how it could shape the future of AI.

Performance on the ARC-AGI Test 
 
OpenAI's O3 model showcased its exceptional capabilities by matching the average human score on the ARC-AGI test. This test evaluates an AI system's ability to solve abstract grid problems with minimal examples, measuring how effectively it can generalize information and adapt to new scenarios. Key highlights include:
  • Test Outcomes: O3 not only matched human performance but set a new benchmark in Artificial General Intelligence (AGI) development.
  • Adaptability: The model demonstrated the ability to draw generalized rules from limited examples, a critical capability for AGI progress.
Breakthrough in Science Problem-Solving 
 
Beyond the ARC-AGI test, the O3 model excelled in solving complex scientific questions. It achieved an impressive score of 87.7% compared to the 70% score of PhD-level experts, underscoring its advanced reasoning abilities. 
 
While OpenAI has not disclosed the specifics of O3’s development, its performance suggests the use of simple yet effective heuristics similar to AlphaGo’s training process. By evaluating patterns and applying generalized thought processes, O3 efficiently solves complex problems, redefining AI capabilities. An example rule demonstrates its approach.

“Any shape containing a salient line will be moved to the end of that line and will cover all the overlapping shapes in its new position.”
 
O3 and O3 Mini models represent a significant leap in AI, combining unmatched performance with general learning capabilities. However, their potential brings challenges related to cost, security, and ethical adoption that must be addressed for responsible use. As technology advances into this new frontier, the focus must remain on harnessing AI advancements to facilitate progress and drive positive change. With O3, OpenAI has ushered in a new era of opportunity, redefining the boundaries of what is possible in artificial intelligence.
Read more »
Technology
Border Security Force CyberCrime Cyberhackers Cybersecurity Cyberthreats GPS Technology

Rising GPS Interference Threatens Global Aviation and Border Security

 


A recent report by OPS Group, a global aviation safety network, has highlighted a sharp rise in GPS interference across several global conflict zones, including India’s borders with Pakistan and Myanmar. This interference poses significant risks to passenger aircraft flying over these regions, raising serious safety concerns.

Causes of GPS Interference

According to the September report, the increase in GPS interference near borders stems from enhanced security measures and the widespread use of drones for illicit activities. These factors have contributed to the rise of “spoofing,” a cyberattack technique where false GPS signals are transmitted to deceive navigation systems. By manipulating GPS signals, spoofing can create false positions, speeds, or altitudes, leading to impaired navigation accuracy and potential aviation incidents.

To counter these threats, technologies like the Inertial Reference System (IRS) provide an alternative to GPS by calculating positions independently. The IRS offers similar accuracy and is unaffected by signal disruptions, making it a valuable backup for navigation systems in high-risk zones.

India has implemented GPS jamming technologies along its border with Pakistan to enhance security and combat drone-based smuggling operations. These drones, often used to transport narcotics, weapons, and counterfeit currency, have become a growing concern. Reports indicate that GPS interference in the region has reached levels of 10%, significantly hindering illegal drone activity. The Border Security Force (BSF) has recovered a range of contraband, including narcotics and small arms, thanks to these efforts.

Drone activity has surged in recent years, particularly along the India-Pakistan border. In Punjab alone, sightings increased from 48 in 2020 to 267 in 2022, accounting for over 83% of reported drone activities along this border. The eastern border has also seen a rise in drone use for smuggling gold, exotic wildlife, and other contraband from Myanmar and Bangladesh. While effective against drones, GPS jamming can inadvertently impact civilian navigation systems, affecting vehicle and aircraft operations in the vicinity.

Global Aviation Safety Concerns

The issue of GPS interference extends beyond border security and affects global aviation. During this year’s 14th Air Navigation Conference held by the International Civil Aviation Organization (ICAO) in Montreal, delegates addressed the growing risks posed by interference with the Global Navigation Satellite System (GNSS). Such disruptions can compromise the accuracy of aircraft positioning and navigation systems, raising safety concerns.

To mitigate these risks, the conference proposed measures such as enhanced communication between stakeholders, improved information-sharing mechanisms, and the establishment of a global contingency plan for GNSS signal outages. These initiatives aim to reduce the impact of GPS interference on aviation safety and ensure continuity in navigation services.

The rising prevalence of GPS interference underscores the need for robust countermeasures and international collaboration. While advancements in jamming technologies and alternative navigation systems address immediate threats, a long-term strategy focused on securing navigation infrastructure and mitigating interference is essential for safeguarding both national security and global aviation operations.

Read more »
Healthcare system
Cyber Security Cyberattacks CyberCrime Cyberhackets Cyberthreats Health and Human Service Healthcare system

Transforming Cybersecurity Protocols for US Healthcare Systems

 


In a proposal posted on Friday in the Federal Register, the Office for Civil Rights of the US Department of Health and Human Services (HHS) outlined several new requirements that could improve the cybersecurity practices of healthcare organizations. The proposal, which includes requirements for multifactor authentication, data encryption, and routine vulnerability and breach scans, was posted to the Federal Register on Friday. 

Furthermore, anti-malware protection for systems handling sensitive information will be mandated, network segmentation will be implemented, backup and recovery controls will be separated, and yearly audits will be conducted to ensure compliance with the law. Additionally, the new requirements will require that sensitive information systems be protected against malware, the network must be segmented, backup and recovery controls must be separate, and compliance with these requirements must be monitored annually.

Since healthcare organizations hold such sensitive data and provide critical services to society, they have become increasingly vulnerable to threat actors. As a result of this, organizations have become increasingly forced to pay large ransoms for their systems and information to continue to operate as a consequence of the attacks. HHS' Office for Civil Rights (OCR) has proposed strict cybersecurity rules that will be published as a final rule within 60 days, and they will be issued by the Office of Civil Rights. 

Under these regulations, healthcare organizations will be required to protect protected health information by encrypting it, using multifactor authentication, and segmenting their networks to prevent attackers from moving laterally through the networks. It was announced on Thursday that Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, said that it is necessary to establish these requirements in light of the huge number of Americans whose data was compromised due to large healthcare information breaches. 

As part of the proposals, data will be encrypted so that it cannot be accessed, even if it is leaked, and compliance checks will be required to ensure networks are compliant with cybersecurity regulations. Moreover, HHS has shared a fact sheet outlining the proposal, which will update the HIPAA Security Rule to include information about health insurance portability and accountability. It is expected that the public comment period will be open for 60 days. 

Reuters reports that during a press briefing, US Deputy National Security Advisor Anne Neuberger stated the plan would cost $9 billion in the first year, and $6 billion in the subsequent four years, as outlined in a press briefing. A significant increase in large-scale data breaches has taken place over the past few years, and just in the last year, the healthcare industry has been victimized by several large-scale cyberattacks, including hacking into the Ascension and UnitedHealth systems that have disrupted hospitals, doctors' offices, and pharmacies. 

There has been a considerable amount of evidence over the years pointing to Chinese state-sponsored actors as responsible for cyberattacks on American companies and agencies. There has been a massive hack on US telecom companies in the last year, which was blamed on "PRC-affiliated actors" by the FBI. According to The Post, the actors, known by the name Salt Typhoon, targeted the mobile phones of diplomats, government officials, and people associated with both presidential campaigns, allegedly. Chinese officials have called the allegations of their country participating in the attack on the Treasury Department "groundless" and emphasized that "the government has always been opposed to all hacker attacks," according to The Post.

Not only does not acting cost a lot of money, but it also endangers critical infrastructure and patients' safety and has other harmful consequences," says a recent statement by one of the largest private healthcare organizations in the country, Ascension Healthcare System. In May, a ransomware attack stole nearly 5.6 million people's personal and health information. After the cyberattack, Ascension employees were inevitably forced to keep track of medications and procedures on paper because electronic patient records could no longer be accessed. 

To prevent triage delays, the healthcare giant also took some devices offline and diverted emergency medical services to other hospitals. As a result of a hacking attack on UnitedHealth Group, more than 100 million US customers were exposed to data that was sold on the dark web, causing significant disruption for patients and staff at the hospital.

The hospitals were forced to operate by hand. Neuberger asserted that Americans' sensitive healthcare data, mental health information, and other data are being "leaked onto the dark web with the possibility that individuals could be blackmailed as a result of the leak,"
Read more »
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Four-Fait Routers VulnCheck Vulnerabilities and Exploits

Critical Security Issue Hits Four-Faith Routers

 


According to VulnCheck, a critical vulnerability identified as CVE-2024-12856 has been discovered in Four-Faith industrial routers, specifically affecting the F3x24 and F3x36 models, as well as users’ machines. Evidence suggests active exploitation of this vulnerability in the wild, raising significant security concerns for industrial and enterprise users. The flaw resides in the router’s system time adjustment function, where a post-authentication vulnerability allows attackers to execute remote commands on compromised devices.

Technical Details of the Vulnerability

The routers, running firmware version 2.0, are susceptible to an authenticated remote command execution flaw via the HTTP endpoint apply.cgi. Attackers can manipulate the system time parameter using POST requests, enabling arbitrary command execution. Additionally, the firmware is configured with default credentials that, if left unchanged, can escalate the vulnerability to allow unauthenticated remote OS command injection.

Data provided by VulnCheck indicates that approximately 15,000 internet-facing routers may be affected by this issue. Exploitation campaigns have been observed since at least November 2024, with attackers altering system parameters remotely. The attacks appear to originate from multiple IP addresses and utilize Mirai-like payloads to compromise the devices. VulnCheck notes that some payloads share similarities with those used to exploit a prior vulnerability (CVE-2019-12168), although the underlying components differ.

Security researchers have identified attack patterns involving two primary IP addresses, including 178.215.238.91, as sources of active exploitation campaigns. User-Agent strings from these attacks match earlier campaigns documented in November 2024, with new payload variations targeting the identified flaw. While the attacks remain low-scale, they demonstrate a high level of persistence.

Censys data corroborates VulnCheck’s findings, suggesting that the vulnerability has been exploited consistently since its initial observation. Despite this, an official from Bains, speaking to The Hacker News, emphasized that the attacks are not widespread and appear to involve a small number of attackers using spamming techniques at a low frequency.

Mitigation Recommendations

As of now, there is no confirmation regarding the availability of security patches for the affected firmware. VulnCheck disclosed the vulnerability to Four-Faith on December 20, 2024, and awaits a response. In the interim, researchers strongly advise users to take the following measures to mitigate potential risks:

  • Immediately change default credentials on affected devices.
  • Restrict network exposure by placing routers behind firewalls or VPNs.
  • Monitor device activity for unusual or unauthorized behavior.
  • Implement detection rules, such as the Suricata rule provided by VulnCheck, to identify suspicious HTTP POST requests indicative of the attack.

Impact and Implications

By exploiting this vulnerability, attackers can gain full control over affected devices, including executing reverse shell commands to maintain persistent access while concealing their identities. Such control poses a severe threat to organizations reliant on Four-Faith routers for critical operations.

The absence of immediate patches has prompted security researchers to highlight the importance of adopting proactive measures. Organizations are advised to strengthen their defenses against suspicious activity while awaiting updates from Four-Faith. VulnCheck, adhering to responsible disclosure policies, has withheld additional technical details and information about patches until a response from the manufacturer is received.

This incident underscores the critical need for robust firmware security practices, including eliminating default credentials and ensuring timely patch management, to protect against emerging threats in industrial environments.

Read more »
Vulnerabilities and Exploits
Botnet Cyberattacks CyberCrime Cybersecurity CyberThreat Cyberthreats DDOS Attacks IoT Vulnerabilities and Exploits

Understanding and Preventing Botnet Attacks: A Comprehensive Guide

 


Botnet attacks exploit a command-and-control model, enabling hackers to control infected devices, often referred to as "zombie bots," remotely. The strength of such an attack depends on the number of devices compromised by the hacker’s malware, making botnets a potent tool for large-scale cyberattacks.

Any device connected to the internet is at risk of becoming part of a botnet, especially if it lacks regular antivirus updates. According to CSO Online, botnets represent one of the most significant and rapidly growing cybersecurity threats. In the first half of 2022 alone, researchers detected 67 million botnet connections originating from over 600,000 unique IP addresses.

Botnet attacks typically involve compromising everyday devices like smartphones, smart thermostats, and webcams, giving attackers access to thousands of devices without the owners' knowledge. Once compromised, these devices can be used to launch spam campaigns, steal sensitive data, or execute Distributed Denial of Service (DDoS) attacks. The infamous Mirai botnet attack in October 2016 demonstrated the devastating potential of botnets, temporarily taking down major websites such as Twitter, CNN, Reddit, and Netflix by exploiting vulnerabilities in IoT devices.

The Lifecycle of a Botnet

Botnets are created through a structured process that typically involves five key steps:

  1. Infection: Malware spreads through phishing emails, infected downloads, or exploiting software vulnerabilities.
  2. Connection: Compromised devices connect to a command-and-control (C&C) server, allowing the botmaster to issue instructions.
  3. Assignment: Bots are tasked with specific activities like sending spam or launching DDoS attacks.
  4. Execution: Bots operate collectively to maximize the impact of their tasks.
  5. Reporting: Bots send updates back to the C&C server about their activities and outcomes.

These steps allow cybercriminals to exploit botnets for coordinated and anonymous attacks, making them a significant threat to individuals and organizations alike.

Signs of a Compromised Device

Recognizing a compromised device is crucial. Look out for the following warning signs:

  • Lagging or overheating when the device is not in use.
  • Unexpected spikes in internet usage.
  • Unfamiliar or abnormal software behavior.

If you suspect an infection, run a malware scan immediately and consider resetting the device to factory settings for a fresh start.

How to Protect Against Botnet Attacks

Safeguarding against botnets doesn’t require extensive technical expertise. Here are practical measures to enhance your cybersecurity:

Secure Your Home Network

  • Set strong, unique passwords and change default router settings after installation.
  • Enable WPA3 encryption and hide your network’s SSID.

Protect IoT Devices

  • Choose products from companies that offer regular security updates.
  • Disable unnecessary features like remote access and replace default passwords.

Account Security

  • Create strong passwords using a password manager to manage credentials securely.
  • Enable multi-factor authentication (MFA) for an added layer of security.

Stay Updated

  • Keep all software and firmware updated to patch vulnerabilities.
  • Enable automatic updates whenever possible.

Be Wary of Phishing

  • Verify communications directly with the source before providing sensitive information.
  • Avoid clicking on links or downloading attachments from untrusted sources.

Use Antivirus Software

  • Install reputable antivirus programs like Norton, McAfee, or free options like Avast.

Turn Off Devices When Not in Use

  • Disconnect smart devices like TVs, printers, and home assistants to minimize risks.

Organizations can mitigate botnet risks by deploying advanced endpoint protection, strengthening corporate cybersecurity systems, and staying vigilant against evolving threats. Implementing robust security measures ensures that businesses remain resilient against increasingly sophisticated botnet-driven cyberattacks.

Botnet attacks pose a serious threat to both individual and organizational cybersecurity. By adopting proactive and practical measures, users can significantly reduce the risk of becoming victims and contribute to a safer digital environment.

Read more »
Privacy
Camera Security Breach. Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Theft Privacy

Thousands of Users Exposed by Flawed Camera Streaming App

 


A Cybernews research team discovered a huge exposed data server on June 25th. The server contained 3GB of personal information and telemetry from iPhones equipped with an app known as "Home V." According to the log samples, the data is related to the Home V app, which is used to manage Virtavo security cameras. Elasticsearch, a data analytics and search engine, was exposed by an unsecured server that provided logs containing phone numbers, device identifiers, IP addresses, and firmware versions, among other details about the devices, the network, and the users. 

It has been suspected that these logs were diagnostic reports, which were updated in real-time and appear to have been used for performance monitoring or troubleshooting. As a result of the server's malfunction, more than 8.7 million records were left on the server. Several snapshots were duplicates and for some unique identifiers, there was an appearance of up to 50 snapshots at the same time. In a study, researchers estimated that over 100,000 unique users could be affected, while cybersecurity researchers were able to find an exposed data server that contained 3GB of personal information and was capable of receiving telemetry from iOS devices. 

During the summer of 2023, all the information in the world had one thing in common: it was generated by an app called Home V, which managed Virtavo security cameras. These cameras were capable of streaming videos, playing back videos, communicating with each other, receiving motion alerts, etc. However, indoor surveillance cameras are vulnerable to hacking techniques, which can pose significant security risks due to their vulnerability. Many wireless cameras are pre-configured with usernames such as "admin" and passwords which are easily guessable, such as "admin," "888888," or "123456", which is a common vulnerability. 

When cyber attackers try to gain unauthorized access to online cameras by scanning their cameras and attempting to use these standard login details, they exploit these weak credentials. This can be addressed by implementing a password manager, which will generate and store strong, unique passwords to prevent these attacks. Password security is a significant concern for many people, especially when transmitting unencrypted data. 

Even though users can update a camera's password, some devices still transmit this information unencrypted over the internet. Consequently, they may be able to be intercepted by attackers and then used to access the camera if they have the stolen information. It is also possible that the Wi-Fi password is transmitted unencrypted in some cases, further undermining your network's security. In particular, one of the most severe threats is the possibility of a full camera takeover, in which attackers gain access to the device at the root level. 

ith this level of access, attackers can fully control the camera. As a result of such an attack, the surveillance camera can be turned into a tool for further malicious activities if it is tampered with, its settings are altered, and it can even be installed with malware. To minimize these risks, users must make sure that they take steps to ensure that their security systems are protected by strong passwords, encrypting their data and staying abreast of potential vulnerabilities. 

The exposed logs contained a wide range of critical information regarding the user and the device, raising concerns about data security and privacy. Among other things, the information also contained information regarding the device and software, such as the version of the app, the device model (e.g., iPhone12,5, which corresponds to the iPhone 11 Pro Max), the operating system, the firmware version, as well as details regarding video decoding, including the use of video decoding software such as "VideoTool Box" to decode H.264 files. 

 As part of the project, information related to the user’s network was collected, including their country code (e.g., CN for China), their IP address which identified the server's physical location, their connection type, such as “cellular,” and information about the network operator and settings. It was also revealed that the data contained unique user identifiers, such as user accounts linked to phone numbers or email addresses, as well as unique user identifiers (User IDs and UUIDs), and numeric device identifiers, which were all part of the exposed data. 

It is also possible to measure performance metrics, such as how fast the video frame is decoded at the beginning of the video stream, which reflects video playback speed, as well as how strong the WiFi signal is, even if the connection type is cellular. The log entries were also accompanied by timestamps which indicated when they were created, server codes that could identify servers that handled the requests (e.g., "sh" might indicate Shanghai for example), and the time zone offset of the device or server. 

As a result of the comprehensive nature of this data, it becomes increasingly evident that users are exposed to a large amount of sensitive information, and robust security measures are essential to protect it. In general, various data protection laws require businesses to limit data collection through data minimization and purpose limitation – in other words, they must collect only the amount of data necessary to achieve a specific objective. 

Additionally, organizations are required to obtain express consent from individuals and to provide transparency on how the data is utilized, otherwise, the exposure of user information could result in non-compliance and legal penalties. It appears the application collects a considerable amount of information beyond what is actually required to perform the application's basic functions, raising questions about whether data minimization is following data protection laws," the researchers wrote in their report.
Read more »
SEV
Advantech vulnerabilities Cyber Privacy Cyber Technology Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Data Breach Data protection nAMD System SEV

AMD Systems Vulnerability Could Threaten Encrypted Data Protection

 


There has been an announcement of a new technique for bypassing key security protections used in AMD chips to gain access to the clients of those services. Researchers believe that hackers will be able to spy on clients through physical access to cloud computing environments. Known as the "badRAM" security flaw, it has been described as a $10 hack that undermines the trust that the cloud has in it. 

This vulnerability was announced on Tuesday. Like other branded vulnerabilities, this vulnerability is being disclosed on a website with a logo and will be explained in a paper to be presented at next May's IEEE Symposium on Security and Privacy 2025. 

There is an increasing use of encryption in today's computers to protect sensitive data in their DRAM, especially in shared cloud environments with multiple data breaches and insider threats, which are commonplace. The Secure Encrypted Virtualization (SEV) technology of AMD enables users to protect privacy and trust in cloud computing by encrypting the memory of virtual machines (VMs) and isolating them from advanced attackers, including those who compromise critical infrastructure like the virtual machine manager and firmware, which is a cutting-edge technology. 

According to researchers, AMD's Secure Encrypted Virtualization (SEV) program, which protects processor memory from prying eyes in virtual machine (VM) environments, is capable of being tricked into letting someone access the contents of its encrypted memory using a test rig which costs less than $10 and does not require additional hardware. It is important to note that AMD is among the first companies to leverage the capabilities of chipset architecture to improve processor performance, efficiency, and flexibility. 

It has been instrumental in extending and building upon Moore's Law performance gains and extending them further. As a result of the firm's research, performance gains under Moore's Law have been extended and built upon, and the company announced in 2018 that the first processor would have a chipset-based x86 CPU design that was available. Researchers at the University of Lübeck, KU Leven, and the University of Birmingham have proposed a conceptually easy and cheap attack called “BadRAM”. 

It consists of a rogue memory module used to trick the CPU into believing that it has more memory than it does. Using this rogue memory module, you get it to write its supposedly secret memory contents into a "ghost" space that is supposed to contain the hidden memory contents. In order to accomplish this task, researchers used a test rig anyone could afford to buy, composed of a Raspberry Pi Pico, which costs a couple of dollars, and a DIMM socket for DDR4/5 RAM modules. 

The first thing they did was manipulate the serial presence detection (SPD) chip within the memory module so that it would misreport the amount of memory onboard when the device was booted up – the “BadRAM” attack. Using reverse engineering techniques to locate these memory aliases, they had access to memory contents by bypassing the system's trusted execution environment (TEE), as this created two physical addresses referencing the same DRAM location. 

According to the CVE description, the issue results from improper input validation of DIM SPD metadata, which could potentially allow an attacker with certain access levels to overwrite guest memory, as the issue is described as a result of improper input validation. It has been deemed a medium severity threat on the CVSS, receiving a 5.3 rating owing to the high level of access that a potential attacker would need to engage to successfully exploit the problem. 

According to AMD, the issue may be a memory implementation issue rather than a product vulnerability, and the barriers to committing the attack are a lot higher than they would be if it were a software product vulnerability. AMD was informed of the vulnerability by the researchers in February, which has been dubbed CVE-2024-21944, as well as relates specifically to the company’s third and fourth-generation EPYC enterprise processors. According to AMD’s advisory, the recommendation is to use memory modules that lock SPD and to follow physical security best practices. 

A firmware update has also been issued, although each OEM's BIOS is different, according to AMD. As the company has stated on several occasions, it will make mitigations more prominent in the system; there is specific information on the condition of a Host OS/Hypervisor, and there is also information available on the condition of a Virtual Machine (Guest) to indicate that mitigation has been applied.

The AMD company has provided an in-depth explanation of the types of access an attacker would need to exploit this issue in a statement given to ITPro, advising clients to follow some mitigation strategies to prevent the problem from becoming a problem. The badRAM website states that this kind of tampering may occur in several ways — either through corrupt or hostile employees at cloud providers or by law enforcement officers with physical access to the computer. 

In addition, the badRAM bug may also be exploited remotely, although the AMD memory modules are not included in this process. All manufacturers, however, that fail to lock the SPD chip in their memory modules, will be at risk of being able to modify their modules after boot as a result of operating system software, and thus by remote hackers who can control them remotely. 

According to Recorded Future News, Oswald has said that there has been no evidence of this vulnerability being exploited in the wild. However, the team discovered that Intel chips already had mitigations against badRAM attacks. They could not test Arm's modules because they were unavailable commercially. An international consortium of experts led by researchers from KU Leuven in Belgium; the University of Luebeck in Germany; and the University of Birmingham in the United Kingdom conducted the research.
Read more »
TOUXtract Exploits
AI Models Cyber Researchers Cyberattacks CyberCrime Cyberhackers Cyberthreats Technology TOUXtract Exploits

AI Models at Risk from TPUXtract Exploit

 


A team of researchers has demonstrated that it is possible to steal an artificial intelligence (AI) model without actually gaining access to the device that is running the model. The uniqueness of the technique lies in the fact that it works efficiently even if the thief may not have any prior knowledge as to how the AI works in the first place, or how the computer is structured. 

According to North Carolina State University's Department of Electrical and Computer Engineering, the method is known as TPUXtract, and it is a product of their department. With the help of a team of four scientists, who used high-end equipment and a technique known as "online template-building", they were able to deduce the hyperparameters of a convolutional neural network (CNN) running on Google Edge Tensor Processing Unit (TPU), which is the settings that define its structure and behaviour, with a 99.91% accuracy rate. 

The TPUXtract is an advanced side-channel attack technique devised by researchers at the North Carolina State University, designed to protect servers from attacks. A convolutional neural network (CNN) running on a Google Edge Tensor Processing Unit (TPU) is targeted in the attack, and electromagnetic signals are exploited to extract hyperparameters and configurations of the model without the need for previous knowledge of its architecture and software. 

A significant risk to the security of AI models and the integrity of intellectual property is posed by these types of attacks, which manifest themselves across three distinct phases, each of which is based on advanced methods to compromise the AI models' integrity. Attackers in the Profiling Phase observe and capture side-channel emissions produced by the target TPU as it processes known input data as part of the Profiling Phase. As a result, they have been able to decode unique patterns which correspond to specific operations such as convolutional layers and activation functions by using advanced methods like Differential Power Analysis (DPA) and Cache Timing Analysis. 

The Reconstruction Phase begins with the extraction and analysis of these patterns, and they are meticulously matched to known processing behaviours This enables adversaries to make an inference about the architecture of the AI model, including the layers that have been configured, the connections made, and the parameters that are relevant such as weight and bias. Through a series of repeated simulations and output comparisons, they can refine their understanding of the model in a way that enables precise reconstruction of the original model. 

Finally, the Validation Phase ensures that the replicated model is accurate. During the testing process, it is subject to rigorous testing with fresh inputs to ensure that it performs similarly to that of the original, thus providing reliable proof of its success. The threat that TPUXtract poses to intellectual property (IP) is composed of the fact that it enables attackers to steal and duplicate artificial intelligence models, bypassing the significant resources that are needed to develop them.

The competition could recreate and mimic models such as ChatGPT without having to invest in costly infrastructure or train their employees. In addition to IP theft, TPUXtract exposed cybersecurity risks by revealing an AI model's structure that provided visibility into its development and capabilities. This information could be used to identify vulnerabilities and enable cyberattacks, as well as expose sensitive data from a variety of industries, including healthcare and automotive.

Further, the attack requires specific equipment, such as a Riscure Electromagnetic Probe Station, high-sensitivity probes, and Picoscope oscilloscope, so only well-funded groups, for example, corporate competitors or state-sponsored actors, can execute it. As a result of the technical and financial requirements for the attack, it can only be executed by well-funded groups. With the understanding that any electronic device will emit electromagnetic radiation as a byproduct of its operations, the nature and composition of that radiation will be affected by what the device does. 

To conduct their experiments, the researchers placed an EM probe on top of the TPU after removing any obstructions such as cooling fans and centring it over the part of the chip emitting the strongest electromagnetic signals. The machine then emitted signals as a result of input data, and the signals were recorded. The researchers used the Google Edge TPU for this demonstration because it is a commercially available chip that is widely used to run AI models on edge devices meaning devices utilized by end users in the field, as opposed to AI systems that are used for database applications. During the demonstration, electromagnetic signals were monitored as a part of the technique used to conduct the demonstration.

A TPU chip was placed on top of a probe that was used by researchers to determine the structure and layer details of an AI model by recording changes in the electromagnetic field of the TPU during AI processing. The probe provided real-time data about changes in the electromagnetic field of the TPU during AI processing. To verify the model's electromagnetic signature, the researchers compared it to other signatures made by AI models made on a similar device - in this case, another Google Edge TPU. Using this technique, Kurian says, AI models can be stolen from a variety of different devices, including smartphones, tablets and computers. 

The attacker should be able to use this technique as long as they know the device from which they want to steal, have access to it while it is running an AI model, and have access to another device with similar specifications According to Kurian, the electromagnetic data from the sensor is essentially a ‘signature’ of the way AI processes information. There is a lot of work that goes into pulling off TPUXtract. The process not only requires a great deal of technical expertise, but it also requires a great deal of expensive and niche equipment as well. To scan the chip's surface, NCSU researchers used a Riscure EM probe station equipped with a motorized XYZ table, and a high-sensitivity electromagnetic probe to capture the weak signals emanating from it. 

It is said that the traces were recorded using a Picoscope 6000E oscilloscope, and Riscure's icWaves FPGA device aligned them in real-time, and the icWaves transceiver translated and filtered out the irrelevant signals using bandpass filters and AM/FM demodulation, respectively. While this may seem difficult and costly for a hacker to do on their own, Kurian explains, "It is possible for a rival company to do this within a couple of days, regardless of how difficult and expensive it will be. 

Taking the threat of TPUXtract into account, this model poses a formidable challenge to AI model security, highlighting the importance of proactive measures. As an organization, it is crucial to understand how such attacks work, implement robust defences, and ensure that they can safeguard their intellectual property while maintaining trust in their artificial intelligence systems. The AI and cybersecurity communities must learn continuously and collaborate to stay ahead of the changing threats as they arise.
Read more »
Pumakit Rootkit
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Linux LKM malware PT Pumakit Rootkit

Pumakit Rootkit Challenges Linux Security Systems

 


According to the researchers from the Elastic Security Lab, a new rootkit called PUMAKIT can perform various advanced evasion mechanisms. When Elastic Security researchers discovered PUMAKIT while routinely hunting for threats on VirusTotal, they described it as PUMAKIT. Many stages are involved in deploying this multi-stage malware, including a dropper, two memory-resident executables, an LKM rootkit module, and a shared object rootkit, all of which are used in the userland. 

To manipulate core system behaviours, the rootkit component can hook into 18 different syscalls and several kernel functions using an internal Linux function tracer (ftrace), which enables it to control the behaviour of core system components. The rootkit is an advanced persistent threat (APT) that tends to target critical organizations with specific programs designed to establish persistence within compromised systems.

The rootkit is often used by APT groups in their attempts to target critical organizations with specific programs. As a result of the discovery of this Linux rootkit malware called Pumakit, it can evade detection and compromise systems through advanced stealth and privilege escalation techniques. Several components make up this sophisticated malware, including a dropper, a memory-resident executable, kernel module rootkits, and userland rootkits. 

The Pumakit malware family was discovered by Elastic Security in a suspicious binary 'cron' uploaded to VirusTotal on September 4, 2024. The details surrounding its identity and target remain vague. There are a variety of rootkits like this that are commonly used by advanced threat actors to undermine critical infrastructure, steal money, disrupt operations, and infiltrate enterprise systems to conduct espionage. As a sophisticated piece of malware, PUMAKIT was discovered via routine threat detection on VirusTotal as part of routine threat hunting. 

Its binary contains strings embedded by the developer that can be easily identified and accessed by developers. There is an internal structure to the malware that is based on a multi-stage architecture, which comprises a dropper component named "cron", two memory-resident executables called TGT and WPN, an LKM rootkit called Pumba and a shared object rootkit called Kitsune that is bundled in with the malware. This payload allows for loading the LKM rootkit ('puma.ko') into the kernel as well as the userland rootkit ('Kitsune SO') to intercept system calls via the userland.  

A kernel function, such as "prepare_creds" and "commit_creds," can also be used to alter core system behaviour and achieve its objectives. It includes the use of the internal Linux function tracer (trace) to hook into as many as 18 different system calls and various kernel functions, such as "prepare_creds." and "commit_creds." In addition, Elastic noted that every step of the infection chain is designed to conceal the malware's presence, leveraging memory-resident files, and doing specific checks before unleashing the rootkit, which will make it difficult for the user to detect it before it is launched. 

As of right now, the company has not linked PUMAKIT to any known threat actor or group and believes that the software most likely originated from unknown sources. As you may know, PUMAKIT is a sophisticated and stealthy threat, which utilizes advanced techniques like syscall hooks, memory-resident execution, and unique methods for escalating privileges. According to the researchers, it is a multi-architectural malware that demonstrates the increasing sophistication of malware aimed at Linux. For IForthe LKM rootkit to be able to manipulate the behaviour of a system, it must use the syscall table, as well as kallsyms_lookup_name() to find symbol names. 

Rootkits targeting kernel versions 5.7 and above tend to use probes, which means they are designed for older kernels which makes them more difficult to detect than modern rootkits. There has been a debate within the kernel development team about the unsporting of the kallsyms_lookup_name() code to prevent unauthorized or malicious modules from misusing it. As part of this tactic, modules are often added with fake MODULE_LICENSE("GPL") declarations that circumvent license checks, thereby allowing them to access non-exported kernel functions, which is not permitted under the GPL.

A Linux rootkit known as PUMAKIT, or Pumakkit for short, has been discovered that underscores the sophistication with which Linux systems are being targeted by targeted threats. This malware is one of the most dangerous adversaries because it can evade detection and execute advanced attacks. In any case, proactive measures can reduce the harm caused by these threats by recommending regular updates and by increasing monitoring capabilities, among other measures. 

To defend against attacks like PUMAKIT being carried out by hackers like Kumak, it is crucial to remain informed and vigilant in the face of evolving cybersecurity threats. Users must take every precaution to ensure that their Linux systems are protected from this and other advanced malware threats.
Read more »
Telecom
CyberCrime Cyberhackers Cybersecurity Cyberthreats FBI. Cyberespionage Hackers Technology Telecom

Telecom Networks on Alert Amid Cyberespionage Concerns

 



The U.S. Federal Government has called on telecommunication companies to strengthen their network security in response to a significant hacking campaign allegedly orchestrated by Chinese state-sponsored actors. 

The campaign reportedly allowed Beijing to access millions of Americans' private communications, including texts and phone conversations. In a joint advisory, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) outlined measures to help detect and prevent such cyber-espionage activities. Extent of the Breach Remains Unclear According to officials, the full scale of the breach and whether Chinese hackers still have access to U.S. networks remain unknown. The announcement was coordinated with security agencies in New Zealand, Australia, and Canada—members of the Five Eyes intelligence alliance—signaling the global reach of China's hacking activities. 

The FBI and CISA revealed that Chinese hackers breached the networks of several U.S. telecom companies. These breaches enabled them to collect customer contact records and private communications. Most targeted individuals were involved in government or political activities. 

Key Findings:
  • Hackers accessed sensitive information under law enforcement investigations or court orders.
  • Attempts were made to compromise programs governed by the Foreign Intelligence Surveillance Act (FISA), which allows U.S. spy agencies to monitor suspected foreign agents' communications.
Salt Typhoon Campaign The campaign, referred to as Salt Typhoon, surfaced earlier this year. Hackers used advanced malware to infiltrate telecom networks and gather metadata, such as call dates, times, and recipients. 
 
Details of the Attack:
  • Limited victims had their actual call audio and text data stolen.
  • Victims included individuals involved in government and political sectors.
While telecom companies are responsible for notifying affected customers, many details about the operation remain unknown, including the exact number of victims and whether the hackers retain access to sensitive data. 
  
Recommendations for Telecom Companies 

Federal agencies have issued technical guidelines urging telecom companies to:
  1. Encrypt Communications: Enhance security by ensuring data encryption.
  2. Centralize Systems: Implement centralized monitoring to detect potential breaches.
  3. Continuous Monitoring: Establish consistent oversight to identify cyber intrusions promptly.
CISA's Executive Assistant Director for Cybersecurity, Jeff Greene, emphasized that implementing these measures could disrupt operations like Salt Typhoon and reduce future risks. 

China's Alleged Espionage Efforts 
 
This incident aligns with a series of high-profile cyberattacks attributed to China, including:
  • The FBI's September disruption of a botnet operation involving 200,000 consumer devices.
  • Alleged attacks on devices belonging to U.S. political figures, including then-presidential candidate Donald Trump, Senator JD Vance, and individuals associated with Vice President Kamala Harris.
The U.S. has accused Chinese actors of targeting government secrets and critical infrastructure, including the power grid. 

China Denies Allegations 
 
In response, Liu Pengyu, spokesperson for the Chinese embassy in Washington, dismissed the allegations as "disinformation." In a statement, Liu asserted that China opposes all forms of cyberattacks and accused the U.S. of using cybersecurity as a tool to "smear and slander China." 

As cyber threats grow increasingly sophisticated, the federal government’s call for improved network security underscores the importance of proactive defense measures. Strengthened cybersecurity protocols and international cooperation remain critical in safeguarding sensitive information from evolving cyber-espionage campaigns.
Read more »
Information Breach
Cyberattacks CyberCrime Cyberhackers Cyberthreats Data Breach Electric Ireland FBI GNCCB Information Breach

Woman Charged in Electric Ireland Customer Information Breach

An Irish national utility service provider, Electric Ireland, is investigating a significant data breach involving customer information. This breach, first reported last year, has led to arrests and an ongoing investigation by the Garda National Cyber Crime Bureau (GNCCB) and the Garda National Economic Crime Bureau (GNECB). The incident has raised concerns about the misuse of personal and financial data and potential risks for affected customers.

Details of the Data Breach

Electric Ireland disclosed that an employee of a company working on its behalf may have inappropriately accessed data from approximately 8,000 residential customer accounts. The compromised information includes personal and financial details, potentially exposing customers to fraud. While the company has not released the names of affected customers, it is actively identifying and contacting individuals who may be at risk. The breach has left many customers concerned about identity theft and financial security.

Electric Ireland has apologized for the breach and is providing guidance to impacted customers. Those not contacted by the company are advised to remain cautious and avoid taking immediate action until they receive official communication. In addition, Electric Ireland has encouraged customers to report any fraudulent activity related to their accounts and to consult their banks for potential security measures.

Investigative Efforts by Authorities

The Garda National Cyber Crime Bureau and GNECB are at the forefront of the investigation. The GNCCB specializes in analyzing digital evidence and has collaborated with international agencies like Europol, Interpol, and the FBI in similar cases. During the probe, investigators discovered evidence on the phone of a Nigerian national allegedly linked to the breach. Further scrutiny led to a focus on his girlfriend and her associates, indicating a wider network of individuals potentially involved in the unauthorized access of data.

The GNECB, which handles financial crime cases, is assessing the fraud's extent and coordinating with Electric Ireland to mitigate the impact on customers. Despite limited details from the authorities, the case highlights the growing challenges of safeguarding sensitive data in an increasingly digital landscape.

Company Response and Customer Guidance

In addition to addressing the data breach, Electric Ireland is dealing with separate issues of overcharging due to incorrect tariff rates and smart meter data errors. The company has issued apologies for these errors and is offering credit notes to affected customers. Regulatory authorities are reviewing the matter to ensure compliance and prevent similar occurrences in the future.

Electric Ireland remains committed to transparency and is collaborating with Garda Síochána to resolve the breach. Customers are urged to stay vigilant, monitor their financial accounts, and report any suspicious activities to the company and their banks.

Read more »
Windows
Check Point research CyberCrime Cyberhackers Cybersecurity Cyberthreats GodLoader Godot Game iOS Linux macOS malware Windows

Godot Game Engine Targeted in Widespread Malware Attack

 


A newly identified malware threat, GodLoader, is targeting gamers globally by exploiting the Godot game development engine, according to a report from Check Point Research. This sophisticated attack has already impacted more than 1.2 million users across various platforms. 

How GodLoader Works 

 
GodLoader infiltrates devices by leveraging Godot’s .pck files, which package game assets. These files can embed harmful scripts that execute malicious code upon launching a game, effectively bypassing traditional antivirus detection. The malware primarily targets: 

-Windows 
- macOS 
- Linux 
- Android 
- iOS 

Check Point Research reported that hackers have infected over 17,000 systems in just the past three months. By utilizing Godot’s GDScript (a Python-like scripting language), attackers distribute malware via more than 200 GitHub repositories, often masked as legitimate game assets. 

Exploitation of Open-Source Trust 


Eli Smadja, Security Research Group Manager at Check Point Software Technologies, highlighted the exploitation of open-source platforms:  

"Cybercriminals have turned the flexibility of the Godot Engine into a vulnerability, spreading cross-platform malware like GodLoader by capitalizing on the trust users place in open-source software." 

Infected computers are not only compromised but may also be converted into cryptocurrency mining rigs through XMRig, rendering them unusable for other tasks. 

Stargazers Ghost Network: Distribution-as-a-Service (DaaS) 


The attackers used the Stargazers Ghost Network to distribute GodLoader. This platform, active since 2022, employs over 3,000 ghost GitHub accounts to create networks of malicious repositories. These repositories: 

- Host info stealers like RedLine, Lumma Stealer, Rhadamanthys, and RisePro. 
- Manipulate GitHub’s trending section by starring, forking, and subscribing to their own repositories to appear legitimate. 

During a campaign between September and October 2024, Check Point discovered four separate attacks targeting developers and gamers. These attacks aimed to distribute infected tools and games, enticing users to download malware through seemingly credible GitHub repositories. 

Broader Implications and Future Risks 


The malware’s ability to target multiple platforms significantly enlarges the attack surface, posing a growing threat to the gaming community. Experts warn that attackers could embed malware into cheats, mods, or cracks for popular Godot-built games, increasing the vulnerability of millions of gamers. 

The Stargazers Ghost Network has already earned over $100,000 by distributing malware through its DaaS platform. With its continuous evolution, this network poses an ongoing threat to both developers and users of the Godot engine. 

Call to Action for Developers and Gamers 


Industry experts emphasize the urgent need for proactive cybersecurity measures to counter such threats. Recommendations include: 

- Avoid downloading game assets from unverified sources. 
- Regularly update antivirus and anti-malware software. 
- Implement robust security practices when developing or downloading games built with Godot. 

As the gaming ecosystem continues to expand, vigilance and collaboration between developers and security researchers will be critical in mitigating threats like GodLoader and ensuring a safer gaming environment.
Read more »
insurance
CyberCrime Cybersecurity Cyberthreats Data Breach data security HDFC insurance

HDFC Life Responds to Data Leak, Engages Cybersecurity Experts

 


According to HDFC Life Insurance, the company recently reported a cyberattack resulting in stolen confidential customer data. Cybercriminals allegedly accessed sensitive policyholder information and demanded extortion from the insurance company, so the company submitted a complaint to the South Region Cyber Police. As per the complaint, there was a breach of security at the company between November 19 and November 21, 2024. 

The cybercriminals, operating under the alias of bsdqwasdg@gmail.com and using a WhatsApp account to send unencrypted communications, managed to steal the

personal data of HDFC Life's clients. In a news release on Monday, HDFC Life Insurance Company, the country's second-largest private insurer by premiums, reported that customer information had been stolen from their system. 

In recent months, there has been a second major data breach within the insurance sector following thee leak of many gallons of personal information by Star Health & Allied Insurance a few months ago. Star Health and Allied Insurance had previously been subject to a cyberattack, as well as a forensic investigation conducted by independent cybersecurity experts, into the incident.

The data breach that occurred at Star Health's servers reportedly resulted in the sale of sensitive information about 31 million customers - an amount of 7.24 terabytes estimated - on the messaging network Telegram as part of the breach.  In its article, the Insurance Regulatory and Development Authority of India (IRDAI), which controls the insurance industry in India, had indicated that, even though insurers have not been named, it takes security breaches very seriously and is committed to continuing its engagement with the companies to ensure the interests of policyholders are protected fully. 

There was a lot of personal information leaked, including names, addresses, phone numbers, tax details, and sometimes even medical records of the insurance policyholders. It was reported that Star Health's chief information security officer (CISO), Amarjeet Khanuja, had sold the company's data for $150,000 after a hacker allegedly accessed the data through the company's network. There was another incident involving the loss of data at Tata AIG as well. 

A few days after the presidential election, HDFC Life Insurance received several emails claiming to have been sent by an anonymous sender who claimed to have stolen the sensitive information of its customers. A hacker attached data to the email that included the names, policy numbers, addresses, and phone numbers of 99 of his victims. 

As outlined in the email, unless negotiations are conducted, the data of the company will be leaked or sold to third parties. According to the hacker, the company has two days to respond to the threat and its reputation could be jeopardized. A series of messages had been sent over the weekend of November 20 and 21 by the extortionist, warning the company that if they failed to negotiate, a massive leak would occur. As stated in one of the messages, the company will have to suffer losses of "hundreds of billions of rupees" if the transaction goes through, along with a damaged reputation and regulatory pressure from the government. 

It was requested by the hacker that he pay money in exchange for preventing the exposure of the information. A security expert examined the breach and verified its authenticity with the help of HDFC Life Insurance, which then decided to engage the police and inform the appropriate authorities of the breach. 

As a result, the company has given its customers the assurance that it is taking all possible measures to ensure their information is protected and that the impact of the data theft is minimized. It was decided to file a case under sections 308(3) (extortion) as well as 351(4) (criminal intimidation) of the Bharatiya Nyaya Sanhita, 2023 along with the relevant provisions of the Information Technology Act, 2000, for the commission of the offence. 

There was a statement from HDFC Life that stated the company is committed to safeguarding the interest of its customers and will take swift action to resolve this matter. In recent months, other insurers, including Star Health Insurance and Tata AIG, have also admitted to data breaches as a result of intrusions into their systems. 

It is because of these incidents that IRDAI is constantly monitoring insurers' data security frameworks and ensuring that the necessary corrective actions are being taken as soon as possible. A growing number of cyber threats are posing serious risks to the privacy of customers and the accountability of organizations in the insurance sector. 

HDFC Life's proactive measures reflect the industry's recent push to enhance cybersecurity measures continuously to ensure that the risk of these breaches in the future is diminished. A number of cybersecurity measures have been put in place by the IRDAI to ensure that data protection is robust and that millions of policies are protected
Read more »
Wi-fi
APT28 Cyber Hackers CyberCrime Cybersecurity Cyberthreats Data Breach Volexity Wi-fi

Wi-Fi Exploit Enables Russian Hackers to Breach US Business

 


A sophisticated cyberattack was carried out by a Russian state-sponsored group, which is believed to be APT28 (Fancy Bear), which exploited a large U.S. enterprise's Wi-Fi network remotely. This breach was first detected by cybersecurity firm Volexity on February 4, 2022, while it targeted a Washington, DC-based organization whose projects related to Ukraine were being carried out. 

A group of Russian hackers, reportedly linked to Russia's GRU military intelligence, managed to gain access to the wireless network through a password-spraying attack on another service, which allowed them to obtain the credentials needed to connect. The Russian state-sponsored hackers known as "APT28" have exploited a novel attack technique called 'nearest neighbour attack' to penetrate a U.S. company's enterprise WiFi network to spy on employees' activity. 

Although the hackers were thousands of miles away, they could compromise an organization nearby within WiFi range, providing a pivot from where they could reach their destination. Security firm Volexity was able to detect the attacks on February 4, 2022, as it had been monitoring the hackers, codenamed 'GruesomeLarch', as they had been monitoring the attack for many weeks beforehand. 

APT28, which is associated with the General Staff's Main Intelligence Directorate (GRU) and is part of the Russian military's 26165 unit, has been conducting cyber operations since at least 2004 in conjunction with a Russian military unit. Using a hijacked device in a neighbouring building across the street, Russian state-sponsored hackers were able to log into a Wi-Fi network in the United States without ever leaving their country of residence. 

Volexity, a security vendor, documented a rare hacking technique that they call the "Nearest Neighbor Attack." The company discovered the incident in January 2022, when an unnamed customer, calling itself Organization A, suffered a system hack. Initially, the attackers, whom Volexity tracks as GruesomeLarch, gained access to the target's enterprise WiFi network by accessing that service through a password-spraying attack that targeted the victim's public-facing services, as the passwords were flooded. 

Nonetheless, the presence of one-time password (OTP) protection meant that the credentials could not be used to access public web-based services. As far as connecting to the enterprise's WiFi network was concerned, MFA was not required, however, being "thousands of miles away from the victim and behind an ocean" posed a significant inconvenience. It was through this creative use of the hacker's brain that they began looking into buildings nearby that could be potential pivots to the target wireless network, in fact they started to do so. 

APT28 compromised multiple organizations as part of this attack and was able to daisy-chain their connection between these organizations by using legitimate access credentials to connect with them. At the end of the investigation, they discovered a device within a certain range that was capable of connecting to three wireless access points near the windows of a victim's conference room to retrieve their data. 

An unprivileged account used for the remote desktop connection (RDP) allowed the threat actor to move around the target network from one point to another searching for systems of interest and exfiltrating sensitive information from them. Three Windows registry hives were dumped by the hackers: SAM, Security, and System. This hive was compressed into a ZIP archive and then exfiltrated by the hackers using a script named 'servtask.bat'. 

The most common way they collected data while minimizing their footprint was to use native Windows tools. As a result of Volexity's analysis, it was also identified that GruesomeLarch was actively targeting Organization A so that data would be collected from individuals and projects active in Ukraine who have expertise in and experience with those projects. Despite Volexity's initial inability to confirm an association between the attacker and any known threat actors, a subsequent report by Microsoft pointed to certain indicators of compromise (IoCs) that matched the information Volexity had observed, indicating that the Russian threat group was responsible. 

Microsoft's cybersecurity report indicates that it is highly likely that APT28 was able to escalate privileges before launching critical payloads within a victim's network by exploiting the CVE-2022-38028 vulnerability in the Windows Print Spooler service within the victim's network. This is a zero-day vulnerability in Windows. 

APT28, a group that executes targeted attacks using the nearest neighbour technique, successfully demonstrated that close-access operations, which are usually performed at close range, can be executed from a distance, eliminating the risk of identifying or capturing the target physically. Even though internet-facing devices have benefited from increasing security over the past year, thanks to services such as multi-factor authentication and other types of protections that have been added, WiFi corporate networks have largely remained unprotected over the same period.
Read more »
Technology
Android Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Google GPS Technology

Improving GPS Technology with Insights from Android Phones

 


The effect of navigation apps drifting off course may be caused by a region 50-200 miles overhead called the ionosphere, which is a region of the Earth’s atmosphere that is responsible for such drifts. There are various levels of free electrons in this layer that, under certain conditions, can be extremely concentrated, thereby slowing down the processing of GPS signals when they are travelling between satellites and devices. 

A delay, like a delay that would occur from navigating through a crowded city street without being able to get to your place of work on time, is a major contributor to navigation system errors. As reported in Nature this week, a team of Google researchers demonstrated they had been able to use GPS signal measurements collected from millions of anonymous Android mobile devices to map the ionosphere by using GPS data from those devices. 

There are several reasons why a single mobile device signal cannot tell researchers so much about the ionosphere with only one device, but this problem is minimized when there are many other devices to compare with. Finally, the researchers have been able to use the vast network of Android phones to map out the ionosphere in an extremely precise way, matching or exceeding the accuracy of monitoring stations, using the huge network of Android phones. This technique was far more accurate in areas like India and Central Africa, compared to the accuracy of listening stations alone, where the Android technique was used. 

The total electron content (TEC) referred to as ionospheric traffic is a measure of the number of electrons in the ionosphere used within a cellular telephone network. Satellites and ground stations are used to measure this amount of electrons in the ionosphere. These detection tools are indeed effective, but they are also relatively expensive and difficult to build and maintain, which means that they are not used as commonly in developing regions of the world. 

The fact that monitoring stations are not accessible equally leads to disparities in the accuracy of the global ionospheric maps. However, Google researchers did not address one issue. They chose to use something that more than half of the world's population already possessed: mobile phones. In an interview with Popular Science, Google researcher Brian Williams discussed how changes in the ionosphere have been hindering GPS capabilities when working on Android products.

If the ionosphere were to change shortly, this may undermine GPS capabilities. Aside from contributing to scientific advances, he sees this project as an opportunity to improve accuracy and provide a more useful service to mobile device users regularly.  Rather than considering ionosphere interference with GPS positioning as an obstacle, the right thing to do is to flip the idea and imagine that GPS receiver is an instrument to measure the ionosphere, not as an obstacle," Williams commented.

The ionosphere can be seen in a completely different light by combining the measurements made by millions of phones, as compared to what would otherwise be possible." Thousands of Android phones, already known as 'distributed sensor networks', have become a part of the internet. GPS receivers are integrated into most smartphones to measure radio signals beamed from satellites orbiting approximately 1,200 miles above us in medium Earth orbit (MEO).

A receiver determines your location by calculating the distance from yourself to the satellite and then using the distance to locate you, with an accuracy of approximately 15 feet. The ionosphere acts as a barrier that prevents these signals from travelling normally through space until they reach the Earth. In terms of GPS accuracy errors, many factors contribute to the GPS measurement error, including variables like the season, time of day, and distance from the equator, all of which can affect the quality of the GPS measurement. 

There is usually a correctional model built into most phone receivers that can be used to reduce the estimated error by around half, usually because these receivers provide a correctional model.  Google researchers wanted to see if measurements taken from receivers that are built into Android smartphones could replicate the ionosphere mapping process that takes place in more advanced monitoring stations by combining measurements taken directly from the phone. 

There is no doubt that monitoring stations have a clear advantage over mobile phones in terms of value per pound. The first difference between mobile phones and cellular phones is that cellular phones have much larger antennas. Also, the fact that they sit under clear open skies makes them a much better choice than mobile phones, which are often obscured by urban buildings or the pockets of the user's jeans.

In addition, every single phone has a customized measurement bias that can be off by several microseconds depending on the phone. Even so, there is no denying the fact that the sheer number of phones makes up for what they are lacking in individual complexity.  As well as these very immediate benefits, the Android ionosphere maps are also able to provide other less immediate benefits. According to the researchers, analyzing Android receiving measurements revealed that they could detect a signal of electromagnetic activity that matched a pair of powerful solar storms that had occurred earlier this year. 

According to the researchers, one storm occurred in North America between May 10 and 11, 2024. During the time of the peak activity, the ionosphere of that area was measured by smartphones and it showed a clear spike in activity followed by a quick depletion once again. The study highlights that while monitoring stations detected the storm, phone-based measurements of the ionosphere in regions lacking such stations could provide critical insights into solar storms and geomagnetic activity that might otherwise go unnoticed. This additional data offers a valuable opportunity for scientists to enhance their understanding of these atmospheric phenomena and improve preparation and response strategies for potentially hazardous events.

According to Williams, the ionosphere maps generated using phone-based measurements reveal dynamics in certain locations with a level of detail previously unattainable. This advanced perspective could significantly aid scientific efforts to understand the impact of geomagnetic storms on the ionosphere. By integrating data from mobile devices, researchers can bridge gaps left by traditional monitoring methods, offering a more comprehensive understanding of the ionosphere’s behaviour. This approach not only paves the way for advancements in atmospheric science but also strengthens humanity’s ability to anticipate and mitigate the effects of geomagnetic disturbances, fostering greater resilience against these natural occurrences.
Read more »
Subscribe to: Posts (Atom)