Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label CISA. Show all posts
Technology
AI ChatGPT CISA FBI GenAI NSA Technology

Governments Release New Regulatory AI Policy


Regulatory AI Policy 

The CISA, NSA, and FBI teamed with cybersecurity agencies from the UK, Australia, and New Zealand to make a best-practices policy for safe AI development. The principles laid down in this document offer a strong foundation for protecting AI data and securing the reliability and accuracy of AI-driven outcomes.

The advisory comes at a crucial point, as many businesses rush to integrate AI into their workplace, but this can be a risky situation also. Governments in the West have become cautious as they believe that China, Russia, and other actors will find means to abuse AI vulnerabilities in unexpected ways. 

Addressing New Risks 

The risks are increasing swiftly as critical infrastructure operators develop AI into operational tech that controls important parts of daily life, from scheduling meetings to paying bills to doing your taxes.

From foundational elements of AI to data consulting, the document outlines ways to protect your data at different stages of the AI life cycle such as planning, data collection, model development, installment and operations. 

It requests people to use digital signature that verify modifications, secure infrastructure that prevents suspicious access and ongoing risk assessments that can track emerging threats. 

Key Issues

The document addresses ways to prevent data quality issues, whether intentional or accidental, from compromising the reliability and safety of AI models. 

Cryptographic hashes make sure that taw data is not changed once it is incorporated into a model, according to the document, and frequent curation can cancel out problems with data sets available on the web. The document also advises the use of anomaly detection algorithms that can eliminate “malicious or suspicious data points before training."

The joint guidance also highlights issues such as incorrect information, duplicate records and “data drift”, statistics bias, a natural limitation in the characteristics of the input data.

Read more »
Vulnerabilities and Exploits
China CISA IP Address Ransomware SAP Bug Vulnerabilities and Exploits

Ransomware Hackers Target SAP Servers Through Critical Flaw

 


A newly discovered security hole in SAP’s NetWeaver platform is now being misused by cybercriminals, including ransomware gangs. This flaw allows attackers to run harmful commands on vulnerable systems from a distance—without even needing to log in.

SAP issued urgent software updates on April 24 after learning about the flaw, found in NetWeaver’s Visual Composer tool. The weakness, labeled CVE-2025-31324, makes it possible for attackers to upload files containing malware. Once inside, they can take full control of the affected system.

ReliaQuest, a cybersecurity firm that tracked this issue, now says that two known ransomware groups, RansomEXX and BianLian have joined in. Although they haven’t yet successfully launched any ransomware in these cases, their involvement shows that multiple criminal groups are watching this flaw closely.

Investigators linked BianLian to at least one incident using an IP address tied to their past operations. In another case, RansomEXX attackers used a backdoor tool called PipeMagic and also took advantage of a previously known bug in Microsoft’s Windows system (CVE-2025-29824).

Even though their first effort didn’t succeed, the attackers made another attempt using a powerful hacking framework called Brute Ratel. They delivered it using a built-in Microsoft function called MSBuild, which helped them run the attack in a sneaky way.

More recently, security teams from Forescout and EclecticIQ connected this activity to hackers linked to China. These groups, tracked under various names, were also found to be exploiting the same SAP vulnerability. In fact, they managed to secretly install backdoors on at least 581 SAP systems, including some tied to national infrastructure in the US, UK, and Saudi Arabia. Their plans may also include targeting nearly 2,000 more systems soon.

Experts believe these hidden access points could help foreign state-sponsored hackers gather intelligence, interfere with operations, or even achieve military or economic goals. Since SAP systems are often connected to important internal networks, the damage could spread quickly within affected organizations.

SAP has also fixed another weakness (CVE-2025-42999), which had been silently misused since March. To stay safe, system administrators are advised to apply the patches immediately. If they can’t update right away, disabling the Visual Composer tool can help. They should also restrict access to certain features and monitor their systems closely for anything unusual.

The US government’s cyber agency CISA has officially listed this flaw as a known risk. Federal departments were told to patch their systems by May 20 to avoid falling victim.

Read more »
Sensitive data
Chinese Hackers CISA Cyber Security Ghost MFA Sensitive data

Chinese Ghost Hackers Focus on Profits, Attack Key Sectors in the US and UK


 

In the world of cybercrime, criminals usually fall into two groups. Some target individuals, tricking them for money. Others go after important organizations like hospitals and companies, hoping for bigger payouts. Although attacks on healthcare are less common, they cause major harm when they happen. Incidents like the New York Blood Center hack, where hackers stole a million patient records, show how serious the risk is. Now, a new report warns about Chinese cybercriminals, known as Ghost, who are attacking government offices, power companies, banks, factories, and hospitals. Most of their attacks have affected North America and the United Kingdom.


Ghost Hackers Active in Over 70 Countries

According to research shared by Rebecca Harpur from Blackfog, the Ghost hacking group is based in China and acts on its own without links to the government. Their main goal is to make money, not to steal secrets. Over time, this group has changed its identity multiple times, previously using names like Cring, Crypt3r, Hello, and Phantom. By rebranding, they make it harder for law enforcement agencies to track them as one single group.

Despite their tricks, agencies like the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have raised alarms about the damage Ghost can cause. The Blackfog report explains that victims usually receive a message demanding money, threatening to either destroy stolen information or release it publicly if they refuse to pay.


How Ghost Carries Out Its Attacks

The way Ghost hackers break into systems usually follows the same pattern:

• They first find and exploit weaknesses in systems that are open to the internet, such as VPN devices, websites, and email servers.

• After getting inside, they install secret programs like Cobalt Strike and web shells to stay hidden. They often create fake accounts and disable security software once they have high-level access.

• With these privileges, they move across the network quietly and transfer sensitive data to their own servers.

• Once enough data is stolen, they release ransomware programs (often named Ghost.exe or Cring.exe) across the network. This encrypts files, destroys backup copies, and leaves a ransom note demanding payment.


Tips to Stay Protected

Although the FBI has provided detailed steps to defend against these attacks, Blackfog suggests a few important actions:

1. Keep backups of all important data and store them separately from your main network.

2. Always install the latest updates for your operating systems, applications, and firmware.

3. Use multi-factor authentication to add an extra layer of security to user accounts.

4. Divide your network into smaller parts to make it harder for hackers to move around freely if they break in.


The Ghost hacking group is not interested in spying — their focus is on making money. Organizations need to stay alert, strengthen their defenses, and act fast to prevent serious damage from these ongoing threats.






Read more »
Software
CISA Cyber Security Oracle Cloud Software

CISA Raises Alarm Over Oracle Cloud Security Leak

 



The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations about growing digital threats after a security incident involving Oracle’s old cloud systems. The alert points to the danger of leaked login details falling into the wrong hands, even though the full damage is still being investigated.

What Caused the Concern

Earlier this year, Oracle found out that hackers had broken into two outdated servers that were no longer in use. These systems were part of older technology, not tied to the company's current cloud services. While Oracle says its newer systems are unaffected, attackers still managed to steal information like emails, usernames, passwords, and digital keys used for logging in.

Some of this stolen information was shared online, with parts of it appearing to be more recent than expected. Cybersecurity news sources also received samples from the attacker, which some Oracle clients confirmed were real.


Why This Is a Big Deal

CISA explained that when login details are hidden inside software or automated tools, they’re hard to find and fix. If stolen, these hidden credentials could let hackers into systems without being noticed for a long time. Even worse, people often use the same passwords for different tools, which can help attackers reach more places using just one stolen set of details.


What Organizations Should Do Now

To reduce the chance of harm, CISA advised companies to act quickly. Their suggestions include:

1. Change all possibly affected passwords right away  

2. Stop storing login details inside programs or scripts  

3. Use multi-factor authentication to add an extra layer of security  

4. Check recent login activity for anything unusual  


More Breaches Reported

Reports also say that hackers placed harmful software on other older Oracle servers in early 2025. These systems, called Oracle Cloud Classic, may have been targeted since January. During this time, the attackers reportedly accessed Oracle’s Identity Manager system, which stores user login data.

In a separate incident, Oracle Health — a company that handles medical records — was also affected. In January, patient data from several U.S. hospitals was reportedly exposed due to another breach.

Even though Oracle says its main services weren’t touched, these events show how risky old systems can be if they aren’t retired properly. Businesses are being reminded to strengthen their security, replace weak or hidden credentials, and keep an eye on their systems for any suspicious behavior.



Read more »
IT Service
CentreStack CISA Cyber Crime IT Service

Serious Flaw Found in Popular File-Sharing Tool Used by IT Providers

 



A major security problem has been found in a widely used file-sharing platform, and hackers have already started taking advantage of it. This tool, called CentreStack, is often used by IT service providers to help businesses manage and share files.

The issue is being tracked under the name CVE-2025-30406. It is considered a serious flaw and has been actively misused since March, though it was only officially revealed to the public in early April.

The problem is related to how the platform protects certain types of information. A key used to secure data was either left exposed or was built into the software in a way that made it easy to find. If someone with bad intentions gets hold of this key, they can send fake data that the system will wrongly accept as safe. This can allow the attacker to run harmful code on the servers, potentially giving them full control.

This becomes even more concerning because CentreStack is especially popular among managed service providers (MSPs). These companies use the platform to support several clients at once. If one provider is hacked, all of their customers could be at risk too. This kind of setup, known as multi-tenancy, means a single breach could affect many organizations.

The U.S. government’s cybersecurity team, CISA, officially added this bug to their list of known threats on April 9. They have given federal agencies until April 29 to fix the problem. The software maker, Gladinet, confirmed that the bug has already been used in real attacks.

Experts in the field warn that this bug allows cybercriminals to run programs on affected systems without permission. That’s why it’s extremely important for all users of the platform to install the latest updates right away.

Over the past few years, hackers have increasingly focused on software used by IT service providers. In one past incident, a separate tool used by providers was attacked, leading to the spread of ransomware to many businesses.

Businesses that rely on CentreStack are strongly advised to apply all updates and follow the safety steps recommended by the company. Taking action quickly can prevent much larger problems down the line.


Read more »
Vulnerabilities and Exploits
Chinese Hacker CISA FBI Ransomware Gang Vulnerabilities and Exploits

FBI And CISA Issues Warning of Ongoing ‘Ghost’ Ransomware Attack

 

Ghost, a ransomware outfit, has been exploiting software and firmware flaws since January, according to an FBI and Cybersecurity and Infrastructure Security Agency (CISA) advisory issued last week.

The outfit, also known as Cring and based in China, focusses on internet-facing services with unpatched vulnerabilities that users might have fixed years ago, according to the agencies. Cybersecurity researchers initially raised concerns about the group in 2021. 

"This indiscriminate targeting of networks containing vulnerabilities has resulted in the compromise of organisations in more than 70 countries, including China," according to the notice issued by the Multi-State Information Sharing and Analysis Centre (MS-ISAC).

The notice lists the following vulnerabilities: Microsoft Exchange servers that are still vulnerable to the ProxyShell attack chain; servers running Adobe's ColdFusion for web applications; and issues in unpatched Fortinet security appliances. 
 
Critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses are among the listed victims since 2021, according to the notice. The goal is financial gain, with ransom demands occasionally amounting to hundreds of thousands of dollars.

“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” the agencies further added. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.” 

The notice claims that the ransomware outfit employs common hacking tools like Cobalt Strike and Mimikatz, and that the malware they deploy frequently has file names like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. 

“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the agencies concluded. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.” 

Prevention tips 

To combat against Ghost ransomware attacks, network defenders should take the following steps:

  • Create regular, off-site system backups that cannot be encrypted by ransomware. 
  • Patch the operating system, software, and firmware vulnerabilities as quickly as feasible.
  • Focus on the security holes targeted by Ghost ransomware (i.e., CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). 
  • Segment networks to restrict lateral movement from compromised devices. 
  • Implement phishing-resistant multi-factor authentication (MFA) for all privileged accounts and email service accounts.
Read more »
Multi-Factor Authentication (MFA)
CISA Cyber Security Cybersecurity measures FBI FIDO Hackers MFA mobile phone Multi-Factor Authentication (MFA)

CISA's Enhanced Mobile Security Recommendations Following U.S. Telecom Breach

 



The Cybersecurity and Infrastructure Security Agency (CISA) issued updated recommendations in December 2024 aimed at enhancing mobile phone cybersecurity. Following a significant hack involving major U.S. telecom companies like AT&T, Verizon, and Lumen Technologies, these guidelines focus on adopting more secure multifactor authentication (MFA) methods. 
  
Understanding MFA and Its Vulnerabilities 
 
Multifactor authentication (MFA) is a popular cybersecurity measure requiring users to provide additional verification beyond a password. Common practices include:
  • Text Message Verification: Receiving a one-time code via SMS.
  • Device-Based Approvals: Confirming login attempts on associated devices.
However, CISA has raised concerns about the vulnerability of certain MFA techniques, particularly text-based verification. Text message-based MFA, while convenient, is susceptible to interception by hackers. 

The breach highlighted flaws in text messaging systems, particularly when messages were sent between incompatible platforms like Android and iPhone. Malicious actors exploited these weaknesses to intercept authentication codes and gain unauthorized access to user accounts. While CISA continues to advocate for MFA, it strongly urges users to shift away from text-based methods. 

  
Recommendations for Safer Alternatives 

 
CISA recommends adopting authenticator apps as a more secure MFA option. These apps generate time-sensitive codes that operate independently of messaging systems, making them less prone to interception. However, they remain vulnerable to phishing attacks, where users may be tricked into revealing sensitive information. 

For users seeking the most secure MFA solution, CISA suggests transitioning to phishing-resistant methods like the FIDO (Fast Identity Online) protocol. Developed by the FIDO Alliance, this technology eliminates traditional passwords and uses:
  • Digital Passkeys: Unique codes linked to user accounts.
  • Physical USB Devices: Hardware keys that connect to computers.
The FIDO protocol also supports PINs and biometric identifiers like fingerprints and facial recognition, providing a robust defense against phishing attempts. 

CISA’s latest recommendations highlight the growing need for stronger cybersecurity measures. By moving away from text-based MFA and adopting secure alternatives like authenticator apps and the FIDO protocol, users can better protect their personal information and maintain digital security in an increasingly interconnected world.
Read more »
US Agency
Chinese Hackers CISA cyber espionage Cyber Security US Agency

CISA Issues Mobile Security Guidelines Amid Cyber Espionage Threats

 

The US Cybersecurity and Infrastructure Security Agency (CISA) released a comprehensive guide on Wednesday to help individuals in highly targeted positions protect their mobile communications from malicious actors. This move follows a series of sophisticated telecom hacks that impacted major US wireless carriers, including Verizon, AT&T, Lumen Technologies, and T-Mobile. The attacks were linked to Salt Typhoon, a China-backed cyber espionage group.

Earlier this month, the US government emphasized strengthening communications infrastructure security, with specific focus on risks tied to Cisco devices, a prime target for state-sponsored hackers. In line with this, CISA unveiled its Mobile Communications Best Practice guide, aimed at mitigating risks posed by foreign threat actors, especially Chinese cyber espionage groups.

Who Needs This Guide?

CISA’s guidelines are tailored for individuals in senior government and political roles, who are more likely to possess information of interest to sophisticated threat actors. The agency warned, “Highly targeted individuals should assume that all communications between mobile devices—including government and personal devices—and internet services are at risk of interception or manipulation.”

Key Recommendations

  • Use Encrypted Messaging Apps: CISA recommends apps like Signal, which provide end-to-end encryption and features like vanishing messages for enhanced privacy.
  • Enable Phishing-Resistant MFA: Implement Fast Identity Online (FIDO) multi-factor authentication and avoid SMS-based MFA for improved account security.
  • Adopt Additional Security Practices:
    • Use password managers and telco PINs or passcodes for mobile accounts.
    • Regularly update operating systems and applications.
    • Opt for the latest phone models from manufacturers with strong security records.
    • Avoid private virtual private networks (VPNs) due to potential vulnerabilities.

Special Recommendations for Android Users

Android device users are advised to:

  • Enable end-to-end encryption in Rich Communication Services (RCS).
  • Protect DNS queries and use secure connections in Chrome.
  • Activate Enhanced Protection in Safe Browsing and Google Play Protect.
  • Limit unnecessary app permissions to reduce exposure to vulnerabilities.

As cyber threats grow in complexity, CISA’s proactive guidelines serve as a critical resource for mitigating risks and securing sensitive communications. For the complete document, visit the CISA website.

Read more »
Subscribe to: Posts (Atom)