Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Hacks. Show all posts

Simplifying Data Management in the Age of AI

 


In today's fast-paced business environment, the use of data has become of great importance for innovation and growth. However, alongside this opportunity comes the responsibility of managing data effectively to avoid legal issues and security breaches. With the rise of artificial intelligence (AI), businesses are facing a data explosion, which presents both challenges and opportunities.

According to Forrester, unstructured data is expected to double by 2024, largely driven by AI applications. Despite this growth, the cost of data breaches and privacy violations is also on the rise. Recent incidents, such as hacks targeting sensitive medical and government databases, highlight the escalating threat landscape. IBM's research reveals that the average total cost of a data breach reached $4.45 million in 2023, a significant increase from previous years.

To address these challenges, organisations must develop effective data retention and deletion strategies. Deleting obsolete data is crucial not only for compliance with data protection laws but also for reducing storage costs and minimising the risk of breaches. This involves identifying redundant or outdated data and determining the best approach for its removal.

Legal requirements play a significant role in dictating data retention policies. Regulations stipulate that personal data should only be retained for as long as necessary, driving organisations to establish retention periods tailored to different types of data. By deleting obsolete data, businesses can reduce legal liability and mitigate the risk of fines for privacy law violations.

Creating a comprehensive data map is essential for understanding the organization's data landscape. This map outlines the sources, types, and locations of data, providing insights into data processing activities and purposes. Armed with this information, organisations can assess the value of specific data and the regulatory restrictions that apply to it.

Determining how long to retain data requires careful consideration of legal obligations and business needs. Automating the deletion process can improve efficiency and reliability, while techniques such as deidentification or anonymization can help protect sensitive information.

Collaboration between legal, privacy, security, and business teams is critical in developing and implementing data retention and deletion policies. Rushing the process or overlooking stakeholder input can lead to unintended consequences. Therefore, the institutions must take a strategic and informed approach to data management.

All in all, effective data management is essential for organisations seeking to harness the power of data in the age of AI. By prioritising data deletion and implementing robust retention policies, businesses can mitigate risks, comply with regulations, and safeguard their digital commodities.


Microsoft Acknowledges Hacking Incident Targeting Outlook and OneDrive in June

 

Microsoft faced significant service disruptions in early June, affecting their flagship office suite, including Outlook email and OneDrive file-sharing apps, as well as their cloud computing platform. A hacktivist group called Anonymous Sudan claimed responsibility for these disruptions, conducting distributed denial-of-service (DDoS) attacks by flooding the sites with junk traffic.

Initially, Microsoft was hesitant to reveal the cause but has now confirmed that the DDoS attacks from the aforementioned group were indeed responsible. However, the company has provided limited details and did not immediately comment on the number of affected customers or the global impact. Microsoft confirmed that Anonymous Sudan was behind the attacks, as claimed by the group on its Telegram social media channel. Some security researchers suspect the group to have ties to Russia.

Following a request by The Associated Press, Microsoft published an explanation in a blog post on Friday evening. However, the post lacked specific information, stating that the attacks temporarily affected the availability of some services. It also mentioned that the attackers aimed for disruption and publicity, likely utilizing rented cloud infrastructure and virtual private networks to bombard Microsoft servers using botnets comprised of infected computers worldwide.

Microsoft clarified that there was no evidence of customer data being accessed or compromised during the attacks. While DDoS attacks primarily cause inconvenience by rendering websites unreachable, experts emphasize that they can still disrupt the work of millions, especially if they successfully interrupt the services of major software service providers like Microsoft, which play a crucial role in global commerce.

The extent of the impact caused by the attacks on Microsoft's services remains unclear.

“We really have no way to measure the impact if Microsoft doesn’t provide that info,” said Jake Williams, a prominent cybersecurity researcher and a former National Security Agency offensive hacker. Williams said he was not aware of Outlook previously being attacked at this scale.

“We know some resources were inaccessible for some, but not others. This often happens with DDoS of globally distributed systems,” Williams added. He said Microsoft’s apparent unwillingness to provide an objective measure of customer impact “probably speaks to the magnitude.”

Microsoft referred to the attackers as Storm-1359, a designation used for groups whose affiliation with the company is yet to be established. Determining the identity of adversaries in cybersecurity investigations can be a time-consuming challenge, particularly when they possess advanced skills.

Pro-Russian hacking groups, including Killnet, which cybersecurity firm Mandiant links to the Kremlin, have been conducting DDoS attacks on government and other websites affiliated with Ukraine's allies. In October, some U.S. airport sites were targeted. Analyst Alexander Leslie from Recorded Future, a cybersecurity firm, stated that it is unlikely for Anonymous Sudan to be located in Sudan, as they claim, and suggested that the group collaborates closely with Killnet and other pro-Kremlin groups to disseminate pro-Russian propaganda and disinformation.

Edward Amoroso, CEO of TAG Cyber and a professor at NYU, emphasized that the Microsoft incident highlights the ongoing and “a significant risk that we all just agree to avoid talking about. It’s not controversial to call this an unsolved problem". He suggested that the best defense against such attacks is to distribute services widely, such as by utilizing a content distribution network.

Security researcher Kevin Beaumont noted that the techniques employed by the attackers are not new, with one dating back to 2009.

On Monday, June 5, serious impacts from the Microsoft 365 office suite interruptions were reported, reaching a peak of 18,000 outage and problem reports on the Downdetector tracker shortly after 11 a.m. Eastern time.

Microsoft acknowledged the disruption of services, including Outlook, Microsoft Teams, SharePoint Online, and OneDrive for Business. The attacks persisted throughout the week, and Azure, Microsoft's cloud computing platform, was confirmed to have been affected on June 9. During this time, OneDrive's cloud-based file-hosting experienced a global outage, although the desktop clients remained unaffected.

Marshals' Computer System Still Down 10 Weeks After Hack


A computer system used by the U.S. Marshals Service to track and hunt fugitives remains down 10 weeks after a hack, raising concerns about the effectiveness of the agency’s surveillance efforts. The hack, which occurred in February, forced the Marshals to shut down their electronic surveillance system, which tracks fugitives and monitors their movements through GPS-enabled ankle bracelets.

According to a statement from the Marshals, the agency is still working to bring the system back online and has been forced to rely on manual surveillance techniques in the meantime. This includes the use of physical surveillance teams and other traditional methods of tracking fugitives.

The prolonged downtime of the electronic surveillance system has raised concerns about the ability of the Marshals to effectively track and apprehend fugitives, particularly in cases where they may pose a significant threat to public safety. The agency has not provided details on the scope or nature of the hack, nor has it disclosed whether any sensitive data or information was compromised as a result of the breach.

The hack of the Marshals’ electronic surveillance system underscores the growing threat posed by cyber-attacks on critical infrastructure and government agencies. These attacks can have far-reaching consequences, potentially compromising sensitive data, disrupting essential services, and undermining public safety and national security.

As cyber threats continue to evolve and become more sophisticated, it is essential that government agencies and organizations responsible for critical infrastructure invest in robust cybersecurity measures and stay ahead of the curve in detecting and responding to potential attacks. This includes implementing advanced security protocols and regular security assessments, as well as investing in staff training and education to ensure that all employees are aware of the risks and how to respond in the event of a breach.

The prolonged downtime of the Marshals' electronic surveillance system underscores the need for government agencies and critical infrastructure organizations to remain vigilant and proactive in protecting against cyber threats. As the threat of cyber attacks continues to evolve, investment in robust cybersecurity measures, protocols, and staff education is necessary to ensure the protection of sensitive data and essential services.

7 Minutes a Day, Malicious Cyber Criminals Strike, Here's How to Defend

 


There has been an increase in malicious cyberattacks targeting Australian businesses over the last few years. As a result, these businesses are being advised to raise their standards when protecting customer information. 

In a new report published by the Australian Cyber Security Centre (ASCS), it has been found sophisticated state and criminal actors are striking more frequently, with a cyber crime being reported every seven minutes, according to the paper. 

In the wake of the "concerning" report that was released by the Department of Homeland Security, Cyber Security Minister Clare O'Neil put businesses on notice that they will need to handle the cyber data of their customers more securely and effectively. 

During the past financial year, the Cyber Security Agency received over 76,000 reports from the community about cyber-related issues, which was a 13 percent increase from last year's number. 

The number of publicly reported security holes also increased by 25 percent over the previous year. 

An estimated $100 million has been lost by Australians with compromised email systems. This amounts to an average of $64,000 in compromised emails reported to the authorities, each time.

Fraudulent emails are sent by scammers who send emails purporting to be businesses to solicit payments. For example, a real estate agent will ask for a deposit on a property. 

Richard Marles, the Deputy Prime Minister, has said that everyone needs to be more alert to possible threats. 

"In comparison to cyberspace, the environment in which we live is much more challenging. Although there are many pickpockets around, this appears to be happening at an unprecedented level," he told ABC radio station. 

Keeping yourself safe does not have to be complicated. There are several simple steps anyone can take to do so. 

The measures include not clicking on links in text messages or emails that are not marked as such, ensuring that their software is up-to-date, and taking additional care when dealing with their data. 

In a recent interview, Marles said the government was investing heavily in the cybersecurity sector. In response to this, the company updated its systems and considered a public education campaign. 

There has been a study that suggests small businesses lose on average $39,000 as a result of cyberattacks, and the figure reaches $88,000 for medium-sized businesses as a result of these attacks. 

It has been reported that the average loss was $112,000 in Western Australia and $26,000 in the Northern Territory, according to the Australian Bureau of Statistics. 

As per the NSW government, the average loss was almost $70,000, and the losses in all other states and territories were between $50,000 and $50,000 on average. 

Cyber incidents affect about a third of the total number of computers in the state and Commonwealth of Australia, with the Commonwealth and state governments at risk. 

As a result, the next big target was healthcare systems. This is mainly because cybercriminals are targeting vulnerable businesses that are more likely to pay a ransom when they want their data back. Therefore, health systems are the ideal next target. 

Abigail Bradshaw, the agency's director, said that cyber threats are continually evolving and that they are more frequently targeting the country's critical infrastructure, which is becoming more widespread. 

As a result of the program, more than 24 million malicious domain requests have been blocked. In addition, 29,000 attacks on Australian services have been taken down. Furthermore, 185 ransomware movements have been stopped, which represents an increase of 75 percent. 

Besides this, the agency was also involved in five successful operations, which included the shutdown of online criminal marketplaces as well as foreign scam networks. 

How to protect yourself 


As part of its recommendations, the ACSC urges individuals to take steps to protect themselves from cybercrime. 

  • Information that is critical to the organization should be protected by updated devices 
  • Turn on multi-factor authentication to make the system more secure 
  • Make sure that you regularly back up your devices 
  • Passphrases should be set up to ensure their security 
  • You should report scams and keep an eye out for threats if you come across them

Report: Mexico Continued to Utilize Spyware Against Activists

 

Despite President Andrés Manuel López Obrador's pledge to end such practices, the Mexican government or army is said to have continued to use spyware designed to hack into activists' cellphones. 

As per press freedom groups, they discovered evidence of recent attempts to use the Israeli spyware programme Pegasus against activists investigating human rights violations by the Mexican army. A forensic investigation by the University of Toronto group Citizen Lab confirmed the Pegasus infection. 

The targets included rights activist, Raymundo Ramos, according to a report by the press freedom group Article 19, The Network for the Defense of Digital Rights, and Mexican media organisations. Ramos has spent years documenting military and police abuses, including multiple killings, in Nuevo Laredo, a drug cartel-dominated border city. In 2020, Ramos' cellphone was apparently infected with Pesgasus spyware.

“They do not like us documenting these types of cases, for them to be made public and have criminal complaints filed,” Ramos said.

Other victims in 2019 and 2020 included journalist and author Ricardo Raphael and an unnamed journalist for the online media outlet Animal Politico. 

According to Daniel Moreno, director of Animal Politico, "if the president didn't know, that is very serious because it means the army was spying on him without his consent." If the president was aware, it would be extremely serious."

López Obrador took office in December 2018 with the promise of ending government spying. The president claimed that as an opposition leader, he had been subjected to government surveillance for decades. Lopez Obrador said in 2019, in response to questions about the use of Pegasus, “We are not involved in that. Here we have decided not to go after anybody. Before, when we were in the opposition, we were spied on.”

According to the report, the Mexican army requested price quotes for surveillance programmes from companies involved in the distribution of Pegasus, which the company claims is only sold to governments. The hacker group Guacamaya discovered army documents containing requests for price quotes from 2020, 2021, and 2022.

Because of the nature of their work and the timing of the espionage, the victims of the spyware attacks assumed the military was to blame. Leopoldo Maldonado, the director of Article 19, stated, “All of this indicates two possible scenarios: the first, that the president lied to the people of Mexico. The second is that the armed forces are spying behind the president’s back, disobeying the orders of their commander in chief.”

When reached for comment, a spokesman for Mexico's Defense Department stated that there was no immediate response to the allegations. In 2021, a Mexican businessman was arrested on suspicion of spying on a journalist with the Pegasus spyware, but the Israeli spyware firm NSO Group distanced itself from him. In Mexico, the businessman has long been described as an employee of a company that acted as an intermediary in spyware purchases.

According to López Obrador's top security official, two previous administrations spent $61 million on Pegasus spyware. The NSO Group has been linked to government surveillance of political opponents and journalists all over the world. 

"NSO's technologies are only sold to vetted and approved government entities," as per the company.

Mexico had the largest list — approximately 15,000 phone numbers — of more than 50,000 reportedly selected for potential surveillance by NSO clients.

López Obrador has relied on the military more and given it more responsibilities than any of his predecessors, from building infrastructure to overseeing seaports and airports. This has sparked concern that the Mexican army, which has traditionally avoided politics, is becoming a force unto itself, with little oversight or transparency.

'Witchetty’ Group Targeted Middle Eastern Gov, Stock Exchange of African Nation

 

A cyber-espionage group is targeting the governments of several Middle Eastern countries and has previously attacked an African country's stock exchange, stealing massive amounts of data with malware. 

The Symantec Threat Hunter Team named the espionage group "Witchetty" in a report published Thursday, but it has also been known as "LookingFrog." Witchetty attacks are distinguished by the use of two pieces of malware: X4 and a second-stage payload known as LookBack. 

“From what we can see, their end goal is classic espionage, finding computers on the network, stealing data and exfiltrating it out of the organization,” said Dick O’Brien, a member of the Symantec Threat Hunter team.

In recent months, the group has been updating its tools to use steganography, a technique in which hackers hide malicious code within an image. In Witchetty's case, the malware is disguised as a Microsoft Windows logo.

Symantec tracked the group's attacks from February to September, noting that the attackers used ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to obtain access in three incidents.

According to several national cybersecurity agencies, ProxyShell and ProxyLogon are among the most commonly exploited vulnerabilities by threat groups. They stole credentials, moved laterally across the network, and installed malware on other computers from there.

The attackers used the ProxyShell vulnerability to launch an attack on a Middle Eastern government agency on February 27. The hackers moved around the network for several months, exfiltrating data and stealing other information. The hackers' most recent actions occurred on September 1, when they downloaded several remote files.

O'Brien told The Record that they do not have enough information to make an attribution at this time, but that Witchetty was first discovered in April by ESET researchers, who stated it was part of a larger cyber-espionage operation linked to the Chinese state-backed advanced persistent threat (APT) group Cicada or APT10. According to ESET, the group has specifically targeted governments, diplomatic missions, charities, and industrial/manufacturing organisations.

Symantec previously linked the group to a VLC Media Player attack campaign, prompting the Indian government to outright ban the popular programme earlier this year. The group was accused in February of carrying out a months-long attack on Taiwan's financial sector.

APT10, according to the anonymous research group IntrusionTruth, was based in Tianjin, China, and allegedly operated out of the Tianjin State Security Bureau, a regional arm of the Chinese Ministry of State Security. In the summer of 2018, Rapid7 and Recorded Future implicated the group in another attack on Norwegian cloud service provider Visma AG.

US FBI Warned Organisations of the Egregor Ransomware Attacks

 

The US-based FBI (Federal Bureau of Investigation) has warned of the upcoming ransomware attack against the hospitals and private organizations. They initially gave an alert saying that there was a credible ransomware thread that may harm the hospitals and other private organizations. All of it was done in the wake of the increasing cyber-crime rate in the USA. As the situation worsened, they warned the organizations to stay alert with eyes wide open and patches ready. It noteworthy that since the FBI's warning, one or the other organizations has been becoming a victim of these attacks. 

Initially, the organizations witnessed some issues with their IT system, and then they started receiving some phishing emails from various sites. The suddenness of the events made the organizations trust the warning released by the FBI, as the Egregor's chaos unfolded. 

The Egregor ransomware attack targets the organization worldwide. The threat actors behind the operations hack into the networks of the organizations and steal sensitive data. Once the data is exfiltrated they encrypt all the files and then leave a ransomware note stating that, in case, the organization fails to pay the ransom within the given time, then the stolen data will not only be leaked but will also be distributed to the public by means of mass media. 

The aforesaid Egregor ransomware attack was seen in the threat landscape in September 2020, since then the Egregor gang have claimed to compromise over 150 organizations. They have also claimed to have leaked the data of two of the world’s biggest gaming giants, UBISOFT and CRYTEK. The obtained data of these two companies is posted on the ransomware gang dark web. The incident unfolded the two companies didn't pay the demanded ransom. Despite warnings by security experts, it's difficult to actively avoid falling prey to ransomware attacks, owing to the nature and modus-operandi of such threats. Besides UBISOFT and CRYTEK, other companies namely BARNES & NOBELS, CENOSUD, and METRO’s Vancouver’s agency Trans Link was also on the list. 

“The FBI assesses Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.” read the FBI's alert. “Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices".

Such ransomware attacks are performed with the help of Phishing emails that may contain malicious attachments or exploits for the remote desktop protocol (RDP) or VPN's. It must be noted that following the release of the FBI's warning to the organizations – the threat actors have seemingly paced up in response to the FBI's action against them, making the entire picture clearer! 

The Exploitation of Rowhammer Attack Just Got Easier




With an increase in the number of hacks and exploits focused solely on fundamental properties of underlying hardware, Rowhammer, is one such attack known since 2012 which is a serious issue with recent generation dynamic random access memory (DRAM) chips which oftentimes while accessing a column of memory can cause "bit flipping" in a contiguous line, enabling anybody to alter the contents of the PC memory.

All previously known Rowhammer attack methods required privilege acceleration, which implies that the attacker needed to have effectively found and exploited a weakness within the framework. Lamentably, that is no longer true as researchers have discovered that you can trigger a Rowhammer attack while utilizing network packets.

Termed as 'Throwhammer,' the newfound technique could enable attackers to dispatch Rowhammer attack on the said focused frameworks just by sending uniquely crafted packets  to the vulnerable system cards over the Local Area Network.

A week ago, security researchers point by point developed a proof-of-concept Rowhammer attack strategy, named GLitch, that uses installed graphics processing units (GPUs) to carry out the Rowhammer attacks against Android gadgets.

Be that as it may, all previously known Rowhammer attack methods required privilege acceleration on a target device, which means that the attackers needed to execute code on their focused machines either by drawing casualties to a pernicious site or by deceiving them into installing a malignant application.



Tragically, this limitation has now been eliminated, at least for some devices.
Researchers at the Vrije Universiteit Amsterdam and the College of Cyprus have now discovered that sending despiteful packets over LAN can trigger the Rowhammer attack on systems running Ethernet network cards outfitted with Remote Direct Memory Access (RDMA), which is generally utilized as a part of clouds and data centres.

Since RDMA-enabled network cards allow computers in a system to trade information (with read and write privileges) in the fundamental memory, mishandling it to get to host's memory in fast progression can trigger bit flips on DRAM.

"We rely on the commonly-deployed RDMA technology in clouds and data centres for reading from remote DMA buffers quickly to cause Rowhammer corruptions outside these untrusted buffers, these corruptions allow us to compromise a remote Memcached server without relying on any software bug." researchers said in a paper [PDF] published Thursday.

Since activating a bit flip requires a huge number of memory accesses to particular DRAM locations within milliseconds, a fruitful  Throwhammer attack would require a very high-speed network of no less than 10Gbps.

In their experimental setup, the researchers achieved bit flips on the said focused server subsequent to accessing its memory 560,000 times in 64 milliseconds by sending packets over LAN to its RDMA-empowered network card.

Since Rowhammer exploits a computer hardware weakness no software fix can completely settle the issue once and for all. Researchers trust that the Rowhammer risk isn't just genuine but also has the potential to cause serious damage.

For additional in-depth knowledge on this new attack technique, the users' can access this paper published by the researchers on Thursday [PDF], titled
 "Throwhammer: Rowhammer Assaults over the System and Resistances"

Hackers Target Winter Olympics to be Held in South Korea

Cybersecurity company McAfee has discovered that hackers have targeted organizations connected to the Winter Olympics that will be held in South Korea, and have tried to access sensitive information.

The hacking campaign ran from December 22 and is still under investigation by the firm. McAfee has stated that the attacks point to “a nation-state adversary that speaks Korean.”

The attacks seem to have been carried out via emails sent to various organizations which contained a malicious document that would create a hidden black channel inside the computer if enabled. These emails are disguised as being sent by South Korea’s National Counter-Terrorism Council.

The emails were sent from a Singapore IP address and told receivers to open a text document in Korean.

Among those sent the messages are individuals associated with the ice hockey tournament at the Olympics. A report can be seen on their website by McAfee Labs here.

It has been reported that at least one of the recipient was infected by the document, according to a senior analyst at McAfee.