Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Technology Threats. Show all posts

Cybersecurity and AI Challenges: How Companies Must Evolve to Stay Secure and Competitive

 

Cybersecurity remains a big concern, with a recent study from DataDome showing that 91% of websites are at risk from bot attacks. The study looked at over 14,000 sites in industries like healthcare, luxury goods, and e-commerce, revealing that many businesses with sensitive data are not well protected. Even large companies, though slightly better equipped, let through half of the basic bot threats. 

As cyberattacks become more advanced, companies need to improve their defenses to avoid being targeted. DataDome’s study used simple bots, but it’s a reminder that more sophisticated attacks could cause even more damage. On top of cybersecurity issues, many companies face challenges in managing their data, especially when it comes to using generative AI.
 
Lakshmikant (LK) Gundavarapu, Chief Innovation Officer at Tredence, points out that AI relies on clean, well-organized data to work effectively. Unfortunately, many businesses struggle to keep their data in order, making it hard to get the most out of AI tools. Gundavarapu emphasizes that having a clear picture of their data is key for companies to use AI successfully. 

Meanwhile, President Joe Biden has introduced a new policy that highlights the importance of AI in national security. This policy focuses on protecting AI development and addressing risks like biological, chemical, and nuclear threats, while encouraging collaboration with other countries to manage AI responsibly. 

This follows an earlier executive order aimed at setting rules for AI use in the U.S. As cybersecurity threats grow and AI regulations evolve, tech companies like Microsoft, Google, and Meta are also facing challenges. While all three reported strong earnings driven by cloud and AI services, investors are cautious about their future spending plans. 

In today’s fast-changing environment, businesses need to prioritize strong cybersecurity and proper data management to remain competitive and secure.

Sophos X-Ops Uncovers Major Qilin Ransomware Breach Targeting Chrome Browser Credentials

 

Cybersecurity firm Sophos X-Ops has exposed a significant ransomware breach by the Qilin group, which has introduced a new and highly concerning technique of stealing credentials stored in Google Chrome browsers on compromised systems. Qilin, active since at least 2022, is already notorious for its "double extortion" strategy. This method involves encrypting the victim’s data while simultaneously threatening to leak or sell the data unless a ransom is paid. 

The discovery of Qilin's latest tactic underscores the evolution of ransomware attacks into more sophisticated and damaging operations. The breach came to light following an attack on Synnovis, a UK governmental healthcare service provider. 

The attack began with the exploitation of compromised credentials to access the organization’s VPN portal, which lacked multi-factor authentication (MFA), allowing the attackers initial access. Once inside, the attackers spent 18 days conducting surveillance before moving laterally to a domain controller. 

Here, they modified the Group Policy Objects (GPO) to implement a malicious PowerShell script named `IPScanner.ps1`. This script was designed to harvest login credentials stored in Google Chrome browsers and was automatically executed every time users logged into their devices. 

The stolen credentials were stored in the SYSVOL share, labeled by the infected device's hostname, and subsequently exfiltrated to the attackers' command-and-control server. To avoid detection, the attackers cleared event logs and deleted the local data copies before deploying the ransomware. Given that Google Chrome holds over 65 per cent of the browser market share, the attackers were able to access a large array of usernames and passwords stored by users, raising the scale of the breach. 

This method of credential harvesting introduces a new layer of threat, potentially allowing Qilin to access multiple high-value targets, complicating response efforts for organizations. Affected organizations have been urged to reset all Active Directory passwords and advise users to change the passwords of any sites saved in Chrome. 

This tactic may serve as a "bonus multiplier" for attackers, increasing the chaos inherent in ransomware situations by gaining insights into high-value accounts, making future attacks even more damaging. This breach highlights a growing concern over organizations' abilities to defend against such multifaceted and evolving ransomware threats

Chinese Hacking Groups Target Russian government, IT firms

At the end of July 2024, a series of targeted cyberattacks began, aimed at Russian government organizations and IT companies. These attacks have been linked to Chinese hacker groups APT31 and APT27. The cybersecurity firm Kaspersky uncovered this activity and named the campaign "EastWind."  

The attackers used an updated version of the CloudSorcerer backdoor, which was first seen in a similar campaign back in May 2024 that also targeted Russian government entities. 
However, CloudSorcerer has not only been used in attacks on Russia; in May 2024, Proofpoint identified a related attack on a U.S.-based think tank. 

To check if a system has been compromised, look for DLL files larger than 5MB in the 'C:\Users\Public' directory, unsigned 'msedgeupdate.dll' files, and a running process named 'msiexec.exe' for each logged-in user. 

The initial stage of the attack involved phishing emails. These emails carried RAR archive attachments that were named after the target. Once opened, the archive used a technique called DLL side loading to drop a backdoor on the system, while simultaneously opening a document to distract the victim. 

The backdoor allowed attackers to explore the victim’s filesystem, execute commands, steal data, and deploy additional malware. The attackers used this backdoor to introduce a trojan called 'GrewApacha,' which has been linked to APT31. 

The latest version of GrewApacha, compared to previous versions from 2023, has been improved to use two command servers instead of one. These servers' addresses are stored in base64-encoded strings on GitHub profiles, which the malware accesses. Another tool loaded by the backdoor is a refreshed version of CloudSorcerer. 

This version uses a unique encryption mechanism to ensure it only runs on the targeted system. If run on a different machine, the encryption key will differ, causing the malware to fail. The updated CloudSorcerer now fetches its command-and-control (C2) server addresses from public profiles on Quora and LiveJournal instead of GitHub. 

A third piece of malware introduced during the EastWind attacks is called PlugY. This is a previously unknown backdoor with versatile capabilities, including executing commands, capturing screens, logging keystrokes, and monitoring the clipboard. 

Researchers found that the code used in PlugY has similarities with attacks by the APT27 group and a specific library for C2 communications found in PlugY is also used in other Chinese threat actor tools.

MCA to Strike Off 400 Chinese Companies for Fraud in India

 

The Ministry of Corporate Affairs (MCA) is preparing to strike off as many as 400 Chinese companies operating in India due to severe financial irregularities and incorporation-related fraud. These companies, which primarily deal in online loans and job services, are spread across 17 states, including key areas such as Delhi, Mumbai, Chennai, Bengaluru, Uttar Pradesh, and Andhra Pradesh. According to a report by Moneycontrol, which cited an anonymous government official, the action is expected to be completed within the next three months. 

The MCA has been investigating nearly 600 Chinese companies, focusing on those involved in digital lending and online job platforms. The official stated that the investigation phase has concluded, revealing that 300 to 400 of these companies are likely to be struck off the register. 

The primary reasons for this drastic action include predatory lending practices, financial fraud, and violations of India’s financial regulations. These Chinese companies have come under scrutiny for a variety of reasons. Many of them have been accused of engaging in aggressive tactics to recover loans, imposing exorbitant interest rates on borrowers, and resorting to harassment. 

Additionally, several companies have been found to have Indian directors but operate with Chinese bank accounts, with no recorded financial transactions in India. This has raised suspicions of money laundering and other financial crimes. Furthermore, some companies were not found at their registered office addresses, while others were discovered to be investing in businesses unrelated to their stated purpose, further indicating potential financial fraud. 

Under Section 248 of the Companies Act, the process of striking off a company from the register takes approximately three months. The MCA first issues a notice to the company, allowing time for a response. If the company fails to respond, a second notice is sent after one month. Should there be no reply even then, the company is removed from the register.  

This sweeping action by the MCA underscores the Indian government’s ongoing efforts to regulate the digital lending space and ensure financial transparency, particularly in light of the growing concerns around the proliferation of predatory lending apps in the country.

Sitting Ducks DNS Attack Hijack 35,000 Domains

 

Cybersecurity researchers have uncovered a significant threat affecting the internet's Domain Name System (DNS) infrastructure, known as the "Sitting Ducks" attack. This sophisticated method allows cybercriminals to hijack domains without needing access to the owner's account at the DNS provider or registrar. 

Researchers from DNS security firm Infoblox and hardware protection company Eclypsium revealed that more than one million domains are vulnerable to this attack daily. This has resulted in over 35,000 confirmed domain hijackings, primarily due to poor domain verification practices by DNS providers. The Sitting Ducks attack exploits misconfigurations at the registrar level and insufficient ownership verification. Attackers leverage these vulnerabilities to take control of domains through "lame" delegations, making the hijacking process more effective and harder to detect. 

Once in control, these hijacked domains are used for malware distribution, phishing, brand impersonation, and data theft. Russian threat actors have been particularly active, with twelve known cyber-gangs using this method since 2018 to seize at least 35,000 domains. These attackers often view weak DNS providers as "domain lending libraries," rotating control of compromised domains every 30-60 days to avoid detection. 

The Sitting Ducks attack has been exploited by several cybercriminal groups. "Spammy Bear" hijacked GoDaddy domains in late 2018 for spam campaigns. "Vacant Viper" began using Sitting Ducks in December 2019, hijacking 2,500 domains yearly for the 404TDS system to distribute the IcedID malware and set up command and control (C2) domains. "VexTrio Viper" started using the attack in early 2020, employing the hijacked domains in a massive traffic distribution system (TDS) that supports the SocGholish and ClearFake operations. 

Additionally, several smaller and unknown actors have used Sitting Ducks to create TDS, spam distribution, and phishing networks. Despite the Sitting Ducks attack being reported in 2016, the vulnerability remains largely unresolved. This highlights the critical yet often neglected aspect of DNS security within broader cybersecurity efforts. 

To effectively combat this pressing cybersecurity threat, a collaborative effort is essential involving domain holders, DNS providers, registrars, regulatory bodies, and the broader cybersecurity community. Infoblox and Eclypsium are playing a crucial role by partnering with law enforcement agencies and national Computer Emergency Response Teams (CERTs) to mitigate and diminish the impact of this critical security issue.

The Growing Cybersecurity Concerns of Generative Artificial Intelligence

In the rapidly evolving world of technology, generative artificial intelligence (GenAI) programs are emerging as both powerful tools and significant security risks. Cybersecurity researchers have long warned about the vulnerabilities inherent in these systems. From cleverly crafted prompts that can bypass safety measures to potential data leaks exposing sensitive information, the threats posed by GenAI are numerous and increasingly concerning. Elia Zaitsev, Chief Technology Officer of cybersecurity firm CrowdStrike, recently highlighted these issues in an interview with ZDNET. 

"This is a new attack vector that opens up a new attack surface," Zaitsev stated. He emphasized the hurried adoption of GenAI technologies, often at the expense of established security protocols. "I see with generative AI a lot of people just rushing to use this technology, and they're bypassing the normal controls and methods of secure computing," he explained. 

Zaitsev draws a parallel between GenAI and fundamental computing innovations. "In many ways, you can think of generative AI technology as a new operating system or a new programming language," he noted. The lack of widespread expertise in handling the pros and cons of GenAI compounds the problem, making it challenging to use and secure these systems effectively. The risk extends beyond poorly designed applications. 

According to Zaitsev, the centralization of valuable information within large language models (LLMs) presents a significant vulnerability. "The same problem of centralizing a bunch of valuable information exists with all LLM technology," he said. 

To mitigate these risks, Zaitsev advises against allowing LLMs unfettered access to data stores. Instead, he recommends a more controlled approach. "In a sense, you must tame RAG before it makes the problem worse," he suggested. This involves leveraging the LLM's capability to interpret open-ended questions and using traditional programming methods to fulfill queries securely. "For example, Charlotte AI often lets users ask generic questions," Zaitsev explained. 

"What Charlotte does is identify the relevant part of the platform and the specific data set that holds the source of truth, then pulls from that via an API call, rather than allowing the LLM to query the database directly." 

As enterprises increasingly integrate GenAI into their operations, understanding and addressing its security implications is crucial. By implementing stringent control measures and fostering a deeper understanding of this technology, organizations can harness its potential while safeguarding their valuable data.

Controversial Reverse Searches Spark Legal Debate


In a growing trend, U.S. police departments and federal agencies are employing controversial surveillance tactics known as reverse searches. These methods involve compelling big tech companies like Google to surrender extensive user data with the aim of identifying criminal suspects. 

How Reverse Searches Operate 

Under Reverse Searches Enforce Agencies order digital giant companies such as Google to give them vast reservoirs of user data. Under this law, these agencies have the power to demand information related to specific events or queries which include: 

  • Location Data: Requesting data on individuals present in a particular place at a specific time based on their phone's location. 
  • Keyword Searches: Seeking information about individuals who have searched for specific keywords or queries. 
  • YouTube Video Views: A recent court order disclosed that authorities could access identifiable information on individuals who watched particular YouTube videos. 

In the past, when law enforcement needed information for an investigation, they would usually target specific people they suspected were involved in a crime. But now, because big tech companies like Google have so much data about people's activities online, authorities are taking a different approach. Instead of just focusing on individuals, they are asking for massive amounts of data from these tech companies. This includes information on both people who might be relevant to the investigation and those who are not. They hope that by casting a wider net, they will find more clues to help solve cases. 

Following the news, critics argue that these court-approved orders are overly broad and potentially unconstitutional. They raise concerns that such orders could force companies to disclose information about innocent people unrelated to the alleged crime. There are fears that this could lead to prosecutions based on individuals' online activities or locations. 

Also, last year an application filed in a Kentucky federal court disclosed that federal agencies wanted Google to “provide records and information associated with Google accounts or IP addresses accessing YouTube videos for a one-week period, between January 1, 2023, and January 8, 2023.” 

However, it did not end here, the constitutionality of these orders remains uncertain, paving the way for a probable legal challenge before the U.S. Supreme Court. Despite the controversy, federal investigators continue to push the boundaries of this contentious practice.

Decrypting Breach Realities: Beyond Isolation to Collective Progress


Upon discovering that the system has been breached, the initial reaction, marked by a skipped heartbeat, often prompts a common question: What steps should be taken next? 

According to a recent study, over the last two years, more than half of all organizations have experienced a breach from a third party. Regrettably, the predominant response to such incidents is to isolate the affected party. Surprisingly, as many as 83% of consumers confess to halting or discontinuing their transactions with an organization post-incident. 

While it is understandable for people to react to a security incident by distancing themselves from the affected organization, this response overlooks a valuable chance for the entire industry. The opportunity being discussed is the potential for shared learning and progress that arises when the specific details of an incident are made public. To put it differently, rather than merely reacting negatively, there is a prospect for the industry to unite, comprehend the incident, and leverage that understanding to enhance overall security practices and resilience. 

Let’s Understand What Do We Understand by Breach? 

The terms 'cyberattack,' 'data breach,' and 'breach' are sometimes used interchangeably. However, it's important to note that not every cyberattack results in a data breach, and conversely, not all data breaches are a result of cyberattacks. 

A data breach happens when unauthorized individuals infiltrate secure systems, pilfering credential data that encompasses personal details like Social Security numbers, bank account information, and healthcare records. Additionally, corporate data, such as customer records, intellectual property, and financial information, may also be compromised. 

What is More Concerning? 

Despite having a security program deemed commercially reasonable, breaches persist. No entity is impervious. When assessing potential partners and vendors, a crucial factor to consider is their ability to respond effectively and their willingness to be transparent in the event of a security incident. Employees are gaining more understanding when it comes to security incidents. 

There's a shift from immediately blaming individuals for falling victim to phishing attacks. Security experts recognize that phishing is a numbers game, and as attack tactics become more sophisticated, acknowledging the role of human trust and error in our risk landscape is crucial. While businesses often implement successful security policies internally, the same level of scrutiny is not consistently applied to partners and vendors. 

Recognizing that breaches can happen despite precautions, it is crucial for businesses to include an evaluation of security measures in their vetting process. Hasty decisions to sever ties with a reliable partner after an attack can introduce additional risks, including operational challenges. Although distinguishing between an unexpected breach and a pattern of risky behaviour is vital, the availability of compliance frameworks and security assessments facilitates a more informed evaluation of a potential partner's breach readiness. 

Ready and Transparent Future 

Being more understanding about breaches does not mean organizations should skip their checks. Instead, businesses should always confirm if their partners follow the rules. Security questionnaires and reports remain crucial for ensuring organizations handle data carefully.

Group-IB Uncovered Farnetwork's Ransomware-as-a-Service Business Model

 

In recent findings, cybersecurity experts have uncovered a significant player in the world of cyber threats, known as "farnetwork". This individual has been tied to five separate cyber attack programs within the last four years, showcasing a high level of proficiency in the field. 

Singapore-based cybersecurity firm Group-IB embarked on an ambitious mission to gain insight into a secretive cyber attack program utilizing the Nokoyawa ransomware. Their approach involved a unique "job interview" process with the threat actor responsible for the program. This unconventional interaction provided Group-IB with invaluable information about the individual's background and their pivotal role within various cyber attack programs. 

"Throughout the threat actor's cybercriminal career, which began in 2019, far network has been involved in several connected ransomware projects, including JSWORM, Nefilim, Karma, and Nemty, as part of which they helped develop ransomware and manage the RaaS programs before launching their own RaaS program based on Nokoyawa ransomware," Nikolay Kichatov, cyber security intelligence said at Group-IB. 

About half a year after successfully infiltrating the Qilin Ransomware-as-a-Service (RaaS) syndicate, the cybersecurity firm has shared comprehensive information on how affiliates are paid and the inner workings of the RaaS program. Farnetwork is recognized by many names such as farnetworkit, farnetworkl, jingo, jsworm, piparkuka, and razvrat, depending on the underground forum. Initially, Farnetwork promoted a remote access trojan named RazvRAT as a vendor. 

In 2022, the person who speaks Russian and is involved in cyber activities, aside from concentrating on Nokoyawa, reportedly initiated their own botnet service. This service enables associates to gain entry to compromised business networks. Since the start of this year, farnetwork has been actively recruiting individuals for the Nokoyawa Ransomware-as-a-Service (RaaS) program. 

They task potential candidates with using stolen corporate account information to elevate their access privileges. These recruits are then directed to employ the ransomware to encrypt a victim's files and subsequently demand a ransom in exchange for the decryption key. Information-stealing software logs, containing login details, are sourced from underground markets. 

In certain scenarios, cyber threat actors utilize pre-made stealing tools like RedLine to gain initial access to their target devices. These tools are then distributed through tactics such as deceptive phishing emails and malicious advertising campaigns. 

Under the Ransomware-as-a-Service (RaaS) model, affiliates get 65% of the ransom money, while the botnet owner gets 20%. Meanwhile, the ransomware developer initially gets 15% of the overall share, which may decrease to 10% in certain cases. 

As of October 2023, Nokoyawa has officially halted its operations. However, Group-IB has pointed out a strong likelihood that farnetwork might reemerge, adopting a different identity and introducing a new Ransomware-as-a-Service (RaaS) program.

North Korean Threat Actors Stole $41 Million in Online Casino Heist

 

This week, cyber attackers set their sights on Stake.com, an online casino game and sports betting platform. They successfully made away with around $41 million in cryptocurrencies. The FBI has pinpointed North Korea and its infamous state-supported hacking group, the Lazarus Group, as the responsible parties. 

According to Edward Craven, co-founder of Stake.com, the incident was characterized as a "sophisticated breach." It exploited a specific service employed by the casino for authorizing cryptocurrency transactions. Despite the significant amount stolen by the state-affiliated hackers, particularly given the ongoing downturn in cryptocurrency prices, Craven affirmed that Stake.com would persevere in its operations. 

“The FBI has confirmed that this theft took place on or about September 4, 2023, and attributes it to the Lazarus Group (also known as APT38) which is comprised of DPRK cyber actors,” the agency said in a press release. 

The group has been active since 2010 and its primary interest lies in South Korean entities, The group engages in activities ranging from espionage to disruption and even outright destruction. Additionally, they have a track record of pursuing financial gains through cyber operations, which includes targeting cryptocurrency exchanges. 

In 2019, North Korea's Lazarus Group gained infamy and was sanctioned by the U.S. government. This hacking collective also recognized as APT38, has been responsible for a series of high-profile cyber intrusions, amassing well over a billion dollars in ill-gotten gains over the years. 

Just this year alone, the FBI reports that Lazarus Group has purloined more than $200 million in cryptocurrencies. Given the traceable nature of blockchain, authorities possess information on the destination addresses of these funds. The FBI is strongly advising individuals to exercise caution when engaging in transactions linked directly or indirectly to these flagged addresses. 

Speculations from experts suggest that North Korea may be channeling the acquired cryptocurrencies into its nuclear weapons program. This month, Kim Jong-un is scheduled to visit Russia, where discussions are anticipated to revolve around the potential supply of weapons to support Vladimir Putin's ongoing invasion of Ukraine. U.S. officials have cautioned that such actions will come with consequences for the nation.

Critical TootRoot Bug Hijack Mastodon Servers

 

Mastodon, the decentralized social networking platform that emphasizes freedom and open-source principles, has recently addressed several vulnerabilities, including a critical one with potentially severe consequences. This particular vulnerability enabled hackers to exploit specially designed media files, allowing them to generate arbitrary files on the server. However, the Mastodon team has taken prompt action to patch these vulnerabilities and enhance the platform's security. 

Mastodon is a software that facilitates the operation of self-hosted social networking services, and it is freely available and open-source. The platform encompasses microblogging functionalities, similar to those found on Twitter. Notably, Mastodon operates through numerous independent nodes, referred to as instances, each possessing its distinct set of guidelines, regulations, privacy preferences, and content moderation policies. 

Instances contribute to a diverse ecosystem of interconnected social networks, providing users with a range of choices and experiences. With a user base of approximately 8.8 million, Mastodon thrives on a network of 13,000 individual servers, also known as instances. These servers are hosted by dedicated volunteers who foster a sense of community while maintaining their unique identities. 

The instances, although separate, are interconnected through federation, enabling diverse communities to coexist and interact with one another. This decentralized approach empowers users to choose the instance that aligns with their interests, fostering a vibrant and interconnected ecosystem within the Mastodon platform. 

Independent auditors from Cure53 discovered and helped fix four vulnerabilities in Mastodon, as a result of their thorough assessments. Engaged by Mozilla to inspect Mastodon's code, Cure53 specializes in penetration testing for online services. The most critical vulnerability, known as TootRoot (CVE-2023-36460), allowed attackers an easy way to compromise servers. 

Mastodon promptly addressed these vulnerabilities, highlighting their commitment to platform security and integrity. The four vulnerabilities that Mastodon resolved included two critical-severity flaws. One of them, identified as CVE-2023-36459, involves a cross-site scripting (XSS) issue in oEmbed preview cards. This vulnerability allows bypassing HTML sanitization in the target browser, potentially leading to account hijacking, user impersonation, or unauthorized access to sensitive data. 

The other critical-severity flaw, CVE-2023-36461, relates to a Denial of Service (DoS) vulnerability caused by slow HTTP responses. Additionally, CVE-2023-36462, also rated as high-severity, enables attackers to format a deceptive verified profile link for phishing purposes. These four vulnerabilities impact Mastodon versions 3.5.0 onwards and have been addressed in the subsequent versions: 3.5.9, 4.0.5, and 4.1.3. Mastodon's timely patches demonstrate their commitment to ensuring the security of their platform.

Ransomware Affiliates, Triple Extortion, and the Dark Web Ecosystem

 

While the dark web is often associated with drugs, crime, and leaked information, there has been a rise in a sophisticated cybercrime ecosystem that operates through platforms like Tor and illicit channels on Telegram. One aspect of this trend is the emergence of ransomware groups and their affiliates, who are employing increasingly intricate methods to extort money from companies. 

According to a recent report from Unit42, ransomware attacks surged by 518% in 2021 compared to the previous year. Another report by KnowBe4 reveals that 83% of successful attacks involved Double and Triple Extortion tactics. Triple extortion is an advanced variation of double extortion, where cybercriminals threaten to expose a company's sensitive data unless a ransom is paid. 

Recently, we have noticed that groups involved in extortion are using more advanced methods. It is now uncommon for a group to only lock a company's data with encryption. Instead, some groups are completely bypassing encryption and concentrating on stealing data and blackmailing employees. 

What are single, double, and triple extortion attacks? 

Single extortion attack refers to a traditional ransomware approach where a group encrypts a company's data and demands payment to unlock it. 

Double extortion attack involves a ransomware group encrypting a company's data and also stealing it. They then threaten to publish the stolen data on ransomware blogs unless the victim pays the ransom.

Triple extortion attack is an advanced version of double extortion. In addition to encrypting and stealing data, the cybercriminals also threaten to expose the stolen information, launch DDoS attacks, or target the company with other harmful activities unless the ransom is paid. 

What are ransomware affiliates? 

A ransomware affiliate is someone or a group that rents access to Ransomware-as-a-Service (RaaS) platforms. They use this access to break into company networks, encrypt files using the rented ransomware, and earn a commission when their extortion attempts are successful. 

What are the challenges? 

In the first half of 2023, there have already been over 2,000 instances of data leaks on ransomware blogs. This indicates that 2023 is likely to set a new record for ransomware data disclosure. The emergence of triple extortion ransomware aligns with another significant change in the threat landscape: the increasing prevalence of infostealer malware. 

There has been a notable rise in "initial access brokers" who work on exclusive dark web forums. These brokers specialize in acquiring initial access to companies and then sell it through auction-style platforms, where interested buyers can either bid or choose to purchase immediately at a fixed price. 

What cybersecurity team can do? 

As the cybercrime ecosystem becomes more complex, even less experienced threat actors can now launch sophisticated attacks on businesses. At Flare, we firmly believe that setting up a continuous threat exposure monitoring process (CTEM) is vital for strong cybersecurity. 

Gartner predicts that companies adopting CTEM practices can decrease the likelihood of a data breach by 66% by 2026. Infostealer malware, such as Vidar, Redline, and Raccoon, infects individual computers and extracts important information. This includes browser fingerprints, host data, and most critically, all the saved credentials stored in the browser.

How the FBI Hacked Hive and Saved Victims

Earlier this year, the FBI achieved a significant milestone by dismantling Hive, a notorious cybercrime group, employing an unconventional approach. Instead of apprehending individuals, the agency focused on outsmarting and disrupting the hackers remotely. This marks a notable shift in the FBI's strategy to combat cybercrime, recognizing the challenges posed by international borders where many cybercriminals operate beyond the jurisdiction of U.S. law enforcement. 

In the past, Hive gained infamy as a highly active criminal syndicate, renowned for its acts of disrupting American schools, businesses, and healthcare institutions by disabling their networks and subsequently demanding ransoms for restoration. However, FBI field agents based in Florida successfully dismantled the group using their cyber expertise. 

They initially gained unauthorized access to Hive's network in July 2022 and subsequently countered the syndicate's extortion activities by aiding the targeted organizations in independently regaining access to their systems. 

According to Adam Hickey, a former Deputy Assistant Attorney General in the Justice Department's national security division during the Hive operation, the FBI's method proved effective and saved victims worldwide approximately $130 million. After conducting thorough investigations, the FBI discovered that Hive had rented its primary attack servers from a Los Angeles data center. 

Acting swiftly, the FBI seized the servers within two weeks and subsequently announced the takedown. This rapid action was motivated by the agency's recognition of an opportunity to halt Hive's activities, which had previously been difficult to preempt. However, while the announcement marked a significant milestone, Special Agent Smith and Director Crenshaw emphasized that the case is far from over. 

Hickey, who is now a partner at Mayer Brown law firm, stated that relying solely on arrests to combat cyber threats would be an oversimplified approach. He emphasized the need for a broader perspective and alternative strategies to address the evolving cyber threat landscape. 

The FBI initially became aware of Hive in July 2021 when the group, which was still relatively unknown at the time, targeted and encrypted the computer network of an undisclosed organization in Florida. This occurred during a period when prominent ransomware groups were carrying out severe attacks on gas pipelines and meat processors in the United States. 

In the following 18 months, Hive conducted more than 1,500 attacks worldwide, resulting in the collection of approximately $100 million in cryptocurrency from the victims, as estimated by U.S. law enforcement. The group's rapid expansion can be attributed, in part, to its strategic utilization of ruthlessness as a catalyst for growth. 

They targeted organizations, including hospitals and healthcare providers, that other cybercriminals had refrained from attacking. Data gathered by researcher Allan Liska, reveals that despite the FBI's covert presence within Hive, the group continued to carry out attacks at a consistent rate. 

On a hidden website where Hive disclosed the identities and sensitive details of victims who refused to pay, they listed seven victims in August, eight in September, seven in October, nine in November, and 14 in December. These numbers remained similar to the group's attack patterns before the FBI's infiltration. 

Hive members are still at large, and the seized servers could potentially aid in exposing the network of affiliates who collaborated with Hive during the 18-month period. As a result, the takedown has the potential to lead to additional arrests in the future.

Federal Report Highlights Steps for Enhancing Software Code Pipeline Security Amid App Attacks

 

In a recent update, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) collaborated on an advisory memorandum with the aim of strengthening security measures within application development software supply chains. 
The memo, titled "Defending Continuous Integration/Continuous Delivery (CI/CD) Pipelines," delves into the vulnerabilities associated with deployment processes and sheds light on potential methods that attackers can employ to exploit these pipelines. 

These tactics range from the theft of login credentials and encryption keys to injecting malware into or assuming control over source code projects. To address these concerns, the advisory memo draws heavily upon the MITRE ATT&CK threat framework, utilizing its threat classification system to offer recommended strategies and countermeasures. The publication underscores the substantial scope for improvement in this area and serves as a valuable resource for enhancing defense mechanisms. 

According to the recent State of Software Security report by Veracode Inc., a significant majority of the 130,000 applications tested exhibited at least one security flaw, accounting for 76% of the total. Furthermore, the report highlighted that approximately 24% of all applications assessed contained high-severity flaws. These findings indicate a substantial scope for improvement and ample opportunity to develop more secure applications. 

Software code pipeline security encompasses the following measures and practices: 

Source Code Management: Implement secure version control systems with proper access controls and monitoring to protect code repositories. 

Build Process Security: Ensure secure build environments and tools to prevent tampering or injection of malicious code. Validate dependencies and use approved components. 

Code Testing and Analysis: Conduct comprehensive security testing and code analysis at different stages of the pipeline. Utilize static code analysis, dynamic testing, and vulnerability scanning. 

Secure Artifact Storage: Safeguard artifacts generated during the build process, such as binaries or container images. Maintain secure storage and apply appropriate access controls. 

Deployment Security: Establish secure deployment practices to deploy authorized and validated artifacts to production environments. Verify code integrity and detect unauthorized changes. 

Continuous Monitoring: Implement continuous monitoring and logging mechanisms to identify security incidents, unauthorized access attempts, anomalies, or code tampering. 

Access Control and Authentication: Enforce proper access controls and authentication mechanisms for code repositories, build servers, and deployment environments. Utilize strong authentication, role-based access control, and least privilege principles. 

By implementing these security measures throughout the code pipeline, organizations can enhance protection against code tampering, unauthorized access, and vulnerabilities, ensuring the overall security and integrity of the software development process. 


Know Quantum Threats Before Using AI Language Models Like ChatGPT

 

By this point, ChatGPT has become a household name as the pioneering example of a novel form of artificial intelligence known as generative AI, or large language models (LLMs). Since its launch in November 2022, ChatGPT has experienced exceptional growth, amassing a staggering 1 million users in just five days. 

Today, with over 100 million users, ChatGPT has become a widely adopted AI model, and Openai.com, the platform behind its creation, receives approximately 1 billion monthly visits. As our reliance on LLMs continues to grow, our digital footprints expand exponentially. 

This is due to our usage of LLMs, like other websites and applications, through internet and satellite communications that are safeguarded by public key infrastructure (PKI). 

How quantum computers are a threat to Langauge Models? 

In recent times, quantum computers have gained significant attention for their immense computational power. These machines have the potential to break PKI and decrypt vast amounts of our existing communications, encompassing almost everything we engage in on the internet. Consequently, the data we generate, including LLM data, becomes vulnerable to exploitation by adversaries equipped with quantum computers. 

Quantum threats arise due to the development and potential utilization of quantum computers, which possess the ability to perform certain calculations at a much faster pace than classical computers. These highly capable machines pose a significant risk to the security of current cryptographic algorithms used for safeguarding data. 

A primary concern is the susceptibility of traditional asymmetric encryption algorithms, such as RSA and elliptic curve cryptography (ECC), to quantum computers. These algorithms rely on complex mathematical problems, like factoring large numbers or solving discrete logarithms, to ensure the integrity of encryption. However, quantum computers can efficiently solve these problems using algorithms like Shor's algorithm, potentially compromising the security of encrypted data. 

Why it is very challenging to protect a system from quantum threats?

 As we increasingly engage with technology in our daily lives, such as using mobile phones, making online purchases, or utilizing AI-powered systems like LLMs, our digital presence expands. This accumulation of data creates a digital twin or shadow that grows alongside our activities. 

With the advancement of LLMs and AI, it becomes increasingly challenging to differentiate between our real selves and our digital counterparts. The integration of LLM data into our digital shadows means that every aspect of our lives becomes part of a permanent and accessible database. This poses a potential risk as adversaries equipped with quantum tools could gain unauthorized access to this data. 

Consequently, not only individuals but also businesses and government organizations that rely on these technologies expose themselves to the same threats. 

Consider the gravity of sensitive information such as government or nuclear secrets, personal healthcare records, bank account details, and identification numbers like Social Security and driver's license numbers. It is imperative that these data remain confidential and secure for extended periods, ranging from 25 to 75 years. 

However, if a highly capable quantum computer becomes operational within the next five years, the potential consequences become evident. The exposure of our most valuable and sensitive information would persist for decades, compromising privacy and security on an unprecedented scale. 

What you can do to protect your data privacy in the era of LLMs and AI technology? 

  • Understand the implications: Recognize that the use of LLMs and AI exposes data during communication and storage processes. Be aware of the potential risks associated with these technologies. 
  • Avoid sensitive data exposure: Refrain from using LLMs or AI platforms where there is a possibility of sensitive or confidential information being exposed or stored. Exercise caution and prioritize data privacy. 
  • Review privacy policies: Take the time to read and understand the privacy policies of LLM websites or AI service providers. Being aware of how your data will be used can help you make informed decisions about sharing information.

What is the future against quantum threats? 

In response to this challenge, researchers are actively engaged in the development of post-quantum cryptography, also known as quantum-resistant cryptography. This field focuses on creating new cryptographic algorithms that can withstand attacks from both classical and quantum computers. 

The ultimate objective is to establish long-term security for sensitive data and communications, considering the increasing power and accessibility of quantum computers. Ongoing efforts are underway to standardize quantum-resistant cryptographic algorithms and establish a new generation of encryption methods. 

These endeavors involve collaboration among experts to define and promote secure algorithms capable of countering quantum threats. Furthermore, organizations may need to adopt hybrid approaches that combine classical and post-quantum cryptography to ensure the secure transmission and storage of data in the face of evolving quantum threats.

How the Economy is Impacting Cybersecurity Teams

A recent study conducted by HackerOne, the world's largest ethical hacker community, revealed that half of the surveyed organizations experienced a surge in cybersecurity vulnerabilities in the last year. This alarming trend has been attributed to security budget cuts and layoffs. At a HackerOne event, researchers, along with ethical hackers and leaders from Sumo Logic and GitLab, discussed the economic impacts of this issue. 

The experts emphasized the critical role of DevSecOps, machine learning, and artificial intelligence in mitigating security risks during an economic downturn, particularly in light of the current vulnerable state of organizations. They also highlighted how some companies are achieving more with less in the face of these challenges. 

The survey reveals that 75% of the surveyed companies are experiencing difficulties in managing cybersecurity effectively due to economic reductions like budget cuts, hiring freezes, and layoffs. While these cost-saving measures may seem beneficial in the short term, cutting back on cybersecurity investments can lead to severe consequences for companies in the long run. 

In addition to this, the FBI's report in 2008 and the recent pandemic, it is evident that cybercrime tends to surge during times of economic recession and crises. According to Acronis, the average cost of a data breach is now at an unprecedented high of over $5 million, which is expected to increase by 2023. 
Furthermore, with the continuous changes in the regulatory framework, compliance risks are also on the rise. It is becoming difficult for companies to manage this. 

George Gerchow, chief security officer and senior vice president of IT at Sumo Logic said that “Whenever there are times of high anxiety, such as an economic downturn coming off of a pandemic, bad actors are at their best. I’ve seen a few companies impacted by the tightening of the budget strings, but I can tell you that at Sumo, it hasn’t happened. We’re probably investing more heavily than we ever have. I think it’s a real mistake when companies start cutting back on their budget around cybersecurity, especially during these times.” 

Despite 84% of companies expressing concern about the financial and reputational harm that could arise from cybersecurity breaches, the HackerOne report shows that many of them have implemented or plan to implement cost-cutting measures that impact their security teams. The report reveals that over the past year, 39% of companies have already made cuts to their security teams, and 40% plan to make similar cuts in the coming year. Such actions, according to Gerchow, have direct and indirect consequences that are often disregarded.

Kimsuky Spear-Phishing Campaign Goes Global Using New Malware

On Thursday, security researchers from SentinelOne reported that the North Korean state-sponsored APT group, Kimsuky, has been observed utilizing a brand new malware component called ReconShark. The malware is disseminated through spear-phishing emails that are specifically targeted, containing OneDrive links that, when clicked, trigger the download of documents that subsequently activate malicious macros.  

Tom Hegel and Aleksandar Milenkoski from SentinelOne revealed that the spear-phishing emails used to distribute ReconShark are tailored to specific individuals, with a high level of design quality that increases the likelihood of the target opening them. These emails appear legitimate, using proper formatting, grammar, and visual clues that can deceive unsuspecting users. 

Moreover, the malicious documents and the links in the emails are disguised with the names of real individuals whose knowledge or expertise is relevant to the subject of the lure, for instance, political scientists. 

Furthermore, the researcher added that “The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses”.

The state-sponsored APT group Kimsuky, which has been operating since 2012, is also identified by other names such as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. This notorious threat actor group has been involved in targeted attacks on numerous entities, including non-governmental organizations (NGOs), diplomatic agencies, military organizations, think tanks, research entities, and economic groups across Asia, North America, and Europe. 

In new developments, Kimsuky differs from its predecessors. It avoids storing collected data on the file system. Instead, the malware stores the information in string variables and transmits it to a command-and-control (C2) server via HTTP POST requests. Additionally, ReconShark can install supplementary payloads, such as DLL files or scripts, by examining the detection mechanisms present on the infected systems. 

Furthermore, the security researchers noted that Kimsuky's recent activities are designed to hit global issues. “For example, the latest Kimsuky campaigns have focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine,” reads the report. 

The discovery of ReconShark highlights the growing proof that Kimsuky is changing its techniques to secretly access and control computer systems, stay undetected, and collect information for prolonged periods.

Crypto Platform 3Commas Attacked

 

Cryptocurrency trading platform 3Commas reported that they suffered a data breach in which API data were stolen. Following the incident, an FBI investigation has been called in. 

However, the investigation comes after weeks of criticism from users of the Estonia-based crypto trading platform. As per the statement released by the platform, an unknown hacker posted 3Commas’ API database to Pastebin, on 28 December. 

Also, users reported that its CEO repeatedly ignored the warning signs that the platform had been targeted. 

The cyber threat security team of the company has confirmed the attack’s authenticity after analyzing it, saying “at this point, 3Commas can, unfortunately, confirm that some of 3Commas’ users’ API data (API keys, secrets and passphrases) have been disclosed by a third party.”

Further, it added that “Currently and to the best of our knowledge only API data have been disclosed as part of this incident. As a likely consequence, the hacker(s) may use or may have used the API data to connect your exchange accounts to his/their account and/or initiate unauthorized trades”. 

The threat actor has managed to leak a set of 10,000 API keys, which was just 10% of the 100,000-big database, as per the report. These keys are used by 3Commas bots to automatically interact with crypto exchange platforms, make trades and generate profit, without user interaction. 

The company sent notice to its users via email and a blog post, in which it assures its users that their data and funds will be protected as the company has taken precautionary measures already. The attack has also been reported to the relevant law enforcement agencies, including the FBI. 

However, the damage has already been done. The malicious actor has been abusing stolen API keys since November, he also managed to steal some $6 million worth of cryptocurrencies so far as per the report. 

Furthermore, the company added, “Only a small number of technical employees had access to the infrastructure, and we have taken steps since November 19 to remove their access. Since then, we have implemented new security measures, and we will not stop there; we are launching a full investigation in which law enforcement will be involved”.

Hackers Leaked Stolen Data of 5.7M Gemini Users

Gemini crypto exchange recently made an announcement this week that its customers have been victimized in a phishing campaign after a group of malicious actors collected their personal credentials by breaching a third-party vendor. 

The notification of the attack came to light after multiple posts on hacker forums observed by BleepingComputer offered to sell a database reportedly from the Gemini crypto exchange containing email addresses and phone numbers of 5.7 million customers. 

 “Some Gemini customers have recently been the target of phishing campaigns that we believe are the result of an incident at a third-party vendor. This incident led to the collection of Gemini customer email addresses and partial phone numbers...,” reads the advisory published by the crypto exchange. “…No Gemini account information or systems were impacted as a result of this third-party incident, and all funds and customer accounts remain secure.” 

The Gemini security team released a short notice in which it described the attack but did not disclose the name of a third-party vendor who suffered an "incident" that allowed unauthorized access to malicious actors. Because of the breach, customers of the company received phishing emails. 

However, as per the analysis of the attack, it has been observed that the mission of the threat actors is unknown. In the short report, the company wrote that the account information and its systems are safe from the attack and that fund and customer accounts "remain secure." 

After the attack, the company came back online after seven hours due to scheduled maintenance. "The Gemini Spaceship will undergo scheduled Exchange maintenance on Thursday, December 15th from approximately 10:00 p.m. until Friday, December 16th at 12:30 a.m. ET, and all user interfaces and trading will be unavailable during that time”, a notice on the exchange's status page read. 

Gemini advised its customers to use strong authentication methods and two-factor authentication (2FA) and/ or the hardware security keys to protect their networks and systems.

North Korean Hackers Target CryptoJob Seekers To Evade Western Countries Against Sections

North Korean state sponsors hackers are victimizing cryptocurrency workers with a new phishing campaign on LinkedIn and Indeed to plagiarize resumes and other people’s profiles to land remote work at crypto firms, security researchers at Mandiant said. 

Malwarebytes cyber security researcher, Hossein Jazi, published details of the attack on Twitter. Research analysis shows that the hackers leveraged a PDF containing information about the non-existent role of “engineering manager, product security” at crypto giant Coinbase. 

The objective behind this campaign is to get access to these firms’ internal operations, and projects and gather data about upcoming trends, including Ethereum network development, potential security lapses, and non-fungible tokens (NFTs). 

This information reportedly serves North Korean threat actors to launder cryptocurrencies that can later be used by the Pyongyang government to answer Western sanctions. 

Joe Dobson, a principal analyst at Mandiant, told the press that “It comes down to insider threats If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.” 

This phishing campaign also shares similarities with Operation In(ter)caption, in which hackers used LinkedIn phishing messages that were containing job offers for target working audiences in relevant sectors. Malicious files and data were sent either via email or LinkedIn in a OneDrive link, it was first exposed by ESET in June 2020. 

“Once the recipient opened the file, a seemingly innocent PDF document with salary information related to the fake job offer was displayed. Meanwhile, the malware was silently deployed on the victim’s computer. In this way, the attackers established an initial foothold and reached a solid persistence on the system,” ESET reported. 

Although, the government of North Korea denied its involvement in any cyber-related theft, however, the U.S. government federal agencies, such as the Department of State and the FBI, earlier this year released warnings to the organizations against randomly hiring freelancers from North Korea, as they were potentially misleading businesses with their true identities and state's (DPRK) backing in their activities.