Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label IBM. Show all posts

IBM Signals Major Paradigm Shift as Valid Account Attacks Surge

 


As a result of IBM X-Force's findings, enterprises cannot distinguish between legitimate authentication and unauthorized access due to poor credential management. Several cybersecurity products are not designed to detect the misuse of valid credentials by illegitimate operators, and this is a major problem for organizations seeking to detect illegitimate uses. 

Henderson added that these products do not detect illegitimate activity. In addition to widespread credential reuse and a vast repository of valid credentials that are being sold on the dark web for sale, IBM also stated that cloud account credentials account for almost 90% of the assets for sale on the dark web, which is also fueling the rise of identity-based attacks. 

The practice of credential reuse, Henderson said, can deliver the same results as single sign-on providers by allowing threat actors to gain access to a large number of accounts at once. It is well known that because users reuse credentials for many, many different accounts, the credentials themselves become de facto single sign-on. 

In the year 2023, the number of phishing campaigns that were linked to attacks declined by 44% from 2022 as threat actors flocked to valid credentials. Phishing accounted for almost one in three of the total number of incidents resolved by X-Force in 2016. 

It's not a technology shift for threat actors. They are taking low-cost routes of entry to maximize their return on investment. That's what Henderson said was not a technology shift, but rather a business strategy shift on their part. According to IBM's report, organizations still need to correct the mistakes cybersecurity experts have warned about for years. 

It is Henderson's belief that the industry would be dealing with newer and bigger problems by now, but he does not seem discouraged at all. The great thing about this report is that it simplifies what we need to do, and what's great about it is that there are no things that are insurmountable highlighted in it. 

Henderson explained that focusing on the right things and prioritizing them will solve the authentication problem. Henderson added that even if authentication is solved, it will be followed by another problem. 

However, as we get more and more successful, we reduce their return on investment, making it more difficult for them to commit crimes. It takes a lot of effort to toss out the business model that governs cybercrime, and that is exactly what companies are trying to do.

SaaS Challenges and How to Overcome Them


According to 25% of participants in an IBM study conducted in September 2022 among 3,000 companies and tech executives worldwide, security worries stand in the way of their ability to achieve their cloud-related goals. Nowadays, a lot of organizations think that using the cloud comes with hazards. However, the truth is not quite that dire; if you follow certain security best practices, the cloud may be a safe haven for your data.

Businesses need to have a solid security plan in place to handle their SaaS security concerns if they want to fully benefit from cloud computing. In the first place, what are these worries?

SaaS Challenges

  • Lack of experts in IT security. Companies compete intensely to attract qualified specialists in the tight market for IT security professionals, especially those working on cloud security. In the United States, there are often insufficient skilled workers to cover only 66% of cybersecurity job openings.
  • Problems with cloud migration. A major obstacle to cloud adoption, according to 78% of cloud decision-makers surveyed by Flexera in 2023, was a lack of resources and experience. Inexperience with cloud systems can result in security-compromising migration errors.
  • Insider dangers and data breaches. Regretfully, the largest challenge facing cloud computing is still data breaches. 39% of the firms polled in the 2023 Thales Cloud Security Study reported having data breaches.
  • SaaS enlargement. Some businesses utilize more SaaS technologies than they require. According to BetterCloud, companies used 130 SaaS apps on average in 2022, which is 18% more than in 2021. Managing multiple SaaS apps increases the amount of knowledge and error-proneness that can arise.
  • Adherence to regulations. The technology used in clouds is quite recent. As a result, there may be gaps in some SaaS standards, and industry or national compliance standards are frequently different. Security is compromised when SaaS tools are used that don't adhere to international rules or lack industry standards.
  • Security and certification requirements. To protect client data, SaaS providers must adhere to industry standards like SOC 2 and ISO 27001. Although it requires more work for vendors, certifying adherence to such standards is crucial for reducing security threats.

Monitoring Leading SaaS Security Trends

Cyberattacks will cost businesses $10.5 trillion annually by 2025, a 300% increase over 2015, predicts McKinsey. Businesses need to keep up with the latest developments in data security if they want to reduce the risk and expense of cyberattacks. They must adopt a shared responsibility model and cloud-native solutions built with DevSecOps standards to actively manage their SaaS security.


Sophisticated Web Injection Campaign Targets 50,000 Individuals, Pilfering Banking Data


Web injections, a favoured technique employed by various banking Trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cybercriminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. 

In a new finding, it has been revealed that the malware campaign that first came to light in March 2023 has used JavScript web injections in an attempt to steal data from over 50 banks, belonging to around 50,000 used in North America, South America, Europe, and Japan.  

IBM Security has dissected some JavaScript code that was injected into people's online banking pages to steal their login credentials, saying 50,000 user sessions with more than 40 banks worldwide were compromised by the malicious software in 2023. As IBM’s researchers explained, it all starts with a malware infection on the victim’s endpoint. 

After that, when the victim visits a malicious site, the malware will inject a new script tag which is then loaded into the browser and modifies the website’s content. That allows the attackers to grab passwords and intercept multi-factor authentication codes and one-time passwords.

IBM says this extra step is unusual, as most malware performs web injections directly on the web page. This new approach makes the attacks more stealthy, as static analysis checks are unlikely to flag the simpler loader script as malicious while still permitting dynamic content delivery, allowing attackers to switch to new second-stage payloads if needed. 

It's also worth noting that the malicious script resembles legitimate JavaScript content delivery networks (CDN), using domains like cdnjs[.]com and unpkg[.]com, to evade detection. Furthermore, the script performs checks for specific security products before execution. Judging by the evidence to hand, it appears the Windows malware DanaBot, or something related or connected to it, infects victims' PCs – typically from spam emails and other means – and then waits for the user to visit their bank website. 

At that point, the malware kicks in and injects JavaScript into the login page. This injected code executes on the page in the browser and intercepts the victim's credentials as they are entered, which can be passed to fraudsters to exploit to drain accounts. The script is fairly smart: it communicates with a remote command-and-control (C2) server, and removes itself from the DOM tree – deletes itself from the login page, basically – once it's done its thing, which makes it tricky to detect and analyze. 

The malware can perform a series of nefarious actions, and these are based on a "mlink" flag the C2 sends. In total, there are nine different actions that the malware can perform depending on the "mlink" value. These include injecting a prompt for the user's phone number or two-factor authentication token, which the miscreants can use with the intercepted username and password to access the victim's bank account and steal their cash. 

The script can also inject an error message on the login page that says the banking services are unavailable for 12 hours. "This tactic aims to discourage the victim from attempting to access their account, providing the threat actor with an opportunity to perform uninterrupted actions," Langus said. Other actions include injecting a page loading overlay as well as scrubbing any injected content from the page.  

"This sophisticated threat showcases advanced capabilities, particularly in executing man-in-the-browser attacks with its dynamic communication, web injection methods and the ability to adapt based on server instructions and current page state," Langus warned. "The malware represents a significant danger to the security of financial institutions and their customers." Cybercriminals are exploiting sophisticated web injection techniques to compromise over 50,000 banks throughout the world as a threat escalating. 

DanaBot or similar malware entails the manipulation of user data through JavaScript injections, which allows them to steal login credentials with ease. In this dynamic attack detected by IBM Security, malicious scripts are injected directly into banking pages, evading conventional detection methods, and resulting in a dynamic attack. 

As a way to prevent malware infections, users are recommended to keep their software up-to-date, enable multi-factor authentication, and exercise caution when opening emails to prevent malware infections. To ensure that we are protected from the evolving and adaptive nature of advanced cyber threats, we must maintain enhanced vigilance in identifying and reporting suspicious activities.

Innovative 'Brain-Like' Chip Could Transform AI Landscape with Eco-Friendly Promise

 


Using a prototype chip that looks like a brain, IBM, one of the world's most respected technology giants, says it may be possible to increase the efficiency of artificial intelligence (AI) by enhancing energy efficiency. The advancement addresses the challenges related to the emissions emission associated with artificial intelligence systems that require expansive buildings to store electricity. 

In the realm of artificial intelligence (AI), IBM claims that its prototype chip, which makes AI more efficient, is likely to revolutionize things. There are several components found in IBM's chip, including ones that are designed in a similar way to the connections found in the brain, which results in a more energy-efficient chip and a shorter battery life for Artificial Intelligence systems. 

According to Thanos Vasilopoulos, who is a scientist stationed at IBM's research lab in Zurich, Switzerland, the brain's ability to carry out intense tasks at a low energy consumption is partly responsible for the exceptional energy efficiency of computer systems. According to Apple, this technological breakthrough could lead to the development of more efficient smartphone AI chips. By doing so, large and complex workloads can be executed in environments that are low-power or battery-constrained, such as cars, mobile phones, and video cameras, using AI technology. 

Several components in IBM's chip differ from digital chips popular in the past, with which information is stored as 0s and 1s, as opposed to memristors which are analog components that can store a wide range of numbers in an analog format. By using memristors, the chip is capable of mimicking the way synapses in the brain work, which allows it to "remember" how it got its electricity from year to year. A brain-like technology could provide the building blocks for the development of networks that are similar to biological brains by using this type of technology. 

Analog to Digital Conversion


A major flaw of most chips is that they are primarily digital, meaning they store data as 0s and 1s, whereas the new chips are analog, meaning they can keep a range of numbers using components called memristors. 

A digital switch is an electrical switch that can be compared to an analog switch, which is an electrical switch that sees a different light when you flip the switch. The nature of the human brain is analog, and the structure of memristors is similar to that of synapses in the brain, which are analogous to each other. 

Ferrante Neri, a professor of physics at the University of Surrey, explains that the use of memristors falls into the special category of what could be called nature-inspired computing, as it mimics the functions of the human brain. Memory cells play an important role in storing information about the electrical history of a biological system, in the same way, that a synapse in a biological system can store information about the electrical history of that system. 

The memristor, similar to a synapse in a biological system, comes with the ability to "remember" its electrical history within the circuit board. Essentially, he said, there could be a system of memristors that would look like a biological brain if the devices were interconnected. 

Despite this, he cautioned that developing a computer with memristor technology is not a simple proposition and that there will be several challenges ahead before memristor technology becomes widely adopted, such as dealing with manufacturing difficulties and rising costs of materials. 

Improved Energy Efficiency 


Using these components makes it possible for the new chip to run more efficiently and be more energy efficient while also having some digital components. It makes the chip easier to integrate into a system that already uses artificial intelligence. Nowadays, many phones come with onboard AI chips for them to be able to perform tasks such as processing photos. Taking the iPhone for instance, it has a chip with a neural engine that makes it make intelligent decisions.

IBM hopes to improve the efficiency of the chips in phones and cars so they can have a longer battery life and be capable of supporting new applications in the future. Eventually, it is possible that chips such as IBM's prototype could save a great deal of electricity if they were replaced with chips that are currently being used in the banks of computers that operate powerful artificial intelligence programs. 

James Davenport, an IT professor at the University of Bath, has said the findings from IBM are "potentially interesting"; however, he cautions that the chip is not immediately effective as a solution, but rather only acts as a "possible first step" in solving the problem. 

In a similar way to how the brain stores information on synapses in a wide range of peripheral nerve cells, this analog marvel uses memristors to store an immense amount of data. This chip due to its low-power and analog nature is not only more energy efficient than other chips on the market, but it also makes it possible for AI to be integrated into low-power environments such as mobile phones and vehicles.

It is important to note that while there are still challenges ahead, researchers have marked a significant step forward toward a more efficient and greener future of artificial intelligence. Despite not being a solution to the problem of AI energy consumption, it is a vital first step that could be taken to address the ever-evolving challenges associated with it. 

In the future, users will be interested to see how this 'Brain-Like' chip will impact AI ecosystems and sustainability, as it is fascinating to see how it unfolds even at this early stage of development.

Domino Backdoor Malware Created by FIN7 and Ex-Conti

 


Members of the now-defunct Conti ransomware gang have been using a new strain of malware developed by threat actors likely affiliated with the FIN7 hacking group. This suggests that the two teams collaborated in the malware development, indicating a cooperative effort. 

In the past month, IBM discovered an innovative malware family known as "Domino," which was developed by ITG14, aka FIN7, one of the most notorious cybercrime groups in the world. A lesser-known information stealer that has been advertised for sale on the dark web since December 2021 is included in Domino, which facilitates further exploitation of compromised systems.

Research by the X-Force team revealed that in May, when the Conti gang was disbanded, Conti threat actors began using Domino. This was about four months after FIN7 started using Domino in October last year.  

The newly discovered Trojan horse, "Domino," has been used by a Trickbot/Contini gang, ITG23, since February 2023, according to X-Force. 

Domino's code overlaps Lizar malware, previously linked to the FIN7 group, which IBM has discovered, according to an IBM research report. There are also similarities between malware families in terms of their functionality, configuration structure, and formats used for handling bots. 

In some recent campaigns, IBM's security researchers reported that Lizar, also known as Tirion and Dice Loader, may have been used instead of Lizar for attacks between March 2020 and late 2022. 

According to IBM researchers, there have been attacks using a malware loader, known as Dave Loader, which was previously used by Conti ransomware and TrickBot members in the fall of 2022. 

In attacks against the Royal and Play ransomware operations carried out by ex-Conti members, it was observed that this loader was deploying Cobalt Strike beacons that used a '206546002' watermark. 

Former members of ITG23 could be behind the recent cyberattacks that are believed to have been carried out using the Dave Loader to inject the Domino Backdoor. 

ITG14, also known as FIN7, is a prolific Russian-speaking cybercriminal syndicate that is known for employing a variety of custom malware to deploy additional payloads to increase their monetization methods and enlarge their distribution channels. 

There is a 64-bit DLL called Domino Backdoor, which will enumerate system information, such as the names and statuses of processes, usernames, and computers, and send that information back to the attacker's Command & Control server, where it can be analyzed. Backdoors receive commands to be executed, and they can also be delivered in the future. 

An observation was made that the backdoor had downloaded an additional loader, Domino Loader, that installed an embedded information-stealer calling itself 'Nemesis Project.' Additionally, it could plant a Cobalt Strike beacon to ensure the backdoor was not identified as a backdoor. 

A Conti loader called "Dave" was used by the threat actors during the campaign to drop FIN7's Domino backdoor on the endpoints. The backdoor was able to gather basic information about the system at hand and send it to a command and control server (C2). 

Upon being hacked, the C2 returned to the compromised system a payload that was encrypted with AES. It was found in many cases that the encrypted payload was another loader with several code similarities to the initial backdoor used by Domino. On the compromised system, either the Cobalt Strike info stealer or the Project Nemesis info stealer was installed by the Domino loader to complete the attack chain. 

The majority of threat actors, especially those who use ransomware to spread malware and gain access to corporate networks, partner with other threat groups to distribute malware. There is now little distinction between malware developers and ransomware gangs as the lines between them have gotten blurry over the years, making it difficult to distinguish between them. 

It was only a matter of time before the lines between TrickBot and BazarBackdoor became blurred as the Conti cybercrime syndicate, based in Rome, assumed control over both sites' development for its exploitation. 

According to Microsoft, a threat actor called DEV-0569 published intrusions committed in November 2022 that incorporated BATLOADER malware for delivering Vidar, and Cobalt Strike ransomware, and the latter eventually enabled the human-operated ransomware attacks that distributed Royal in December 2022. 

As the world of cybersecurity becomes increasingly shady, things are getting a bit murky. The issue of distinguishing malware developers from ransomware gangs is becoming increasingly difficult as time goes by.

The Urgent Need to Address the Critical Bug in IBM's Aspera Faspex

IBM's widely used Aspera Faspex has been found to have a critical vulnerability with a 9.8 CVSS rating, which could have serious consequences for organizations using the software. This blog will discuss the vulnerability in detail and the importance of taking prompt action to mitigate the risk.

Aspera Faspex vulnerability

IBM Vulnerability | An Overview

IBM's widely used Aspera Faspex file transfer system has a serious problem. A critical bug that could allow hackers to run any code they want is being used by cybercriminals, including ransomware groups. Even though IBM has released a patch to fix the issue, many organizations have failed to install it. 

Researchers are warning that this vulnerability is being exploited, and one of their customers was recently hacked due to this problem. It's important to take immediate action to fix this vulnerability to avoid being targeted by hackers.

What is Aspera Faspex?

Aspera Faspex is a software application that provides secure file transfer capabilities to businesses and organizations. It is widely used across various industries, including media and entertainment, healthcare, finance, and government agencies.

Understanding the Vulnerability

The vulnerability (CVE-2022-5859) in Aspera Faspex version 4.1.3 and earlier versions arises from insufficient validation of user-supplied input in the software. Attackers could exploit this vulnerability by sending specially crafted data to the application, leading to arbitrary code execution. This could enable attackers to bypass authentication and execute code on the vulnerable system, which could result in significant data breaches and other security incidents.

The Impact of the Vulnerability

The vulnerability in Aspera Faspex is considered critical, with a CVSS rating of 9.8 out of 10. This means that it is highly exploitable and could have severe consequences for organizations using the software. Attackers could gain unauthorized access to sensitive data, execute malicious code, and cause significant disruptions to business operations.

The Importance of Timely Patching

IBM has recommended that organizations using the affected version of the software should upgrade to a patched version as soon as possible to address the vulnerability. Timely patching is critical in mitigating the risk of cyberattacks and data breaches. Organizations that delay patching are putting themselves at increased risk of cyberattacks and other security incidents.

The Role of Security Hygiene

In addition to timely patching, implementing robust security measures is crucial in preventing cyberattacks and minimizing the impact of security incidents. IBM has emphasized the importance of following standard security practices, including network segmentation and monitoring for unusual behavior. These security measures can help organizations detect and respond to security incidents in a timely manner.

The Significance of the Aspera Faspex Vulnerability

The Aspera Faspex vulnerability is a reminder of the importance of prioritizing security in any organization. With the evolving security landscape, organizations must remain vigilant and continuously update their security measures to mitigate the risk of cyberattacks and other security incidents. Failure to take prompt action in addressing vulnerabilities could have severe consequences for organizations, including financial losses, reputational damage, and legal implications.

Malicious Actor Claims Targeting IBM & Stanford University

 

Jenkins was mentioned as one of the TTPs employed by spyware in a report on a British cybercrime forum found by CloudSEK's contextual AI digital risk platform XVigil. To boost ad clickthroughs, this module features stealth desktop takeover capabilities. Based on unofficial talks, CloudSEK experts anticipate that this harmful effort will increase attempts to infect bots. 

Evaluation of threats 

A malicious actor detailed how they hacked into a major organization by taking advantage of a flaw in the Jenkins dashboard in a post on a cybercrime site on May 7, 2022. 

Previously, the same threat actor was observed giving access to IBM. In addition, the actor provided evidence of a sample screenshot showing their alleged connection to a Jenkins dashboard. 

The malicious actors came upon a Jenkins dashboard bypass that had internal hosts, scripts, database logins, and credentials. They exploited the company's public asset port 9443 by using search engines like Shodan as per researchers. 

After receiving data, the actor employed a custom debugging script to find vulnerable targets for bypassing rproxy misconfiguration. 

Origin of the threat actor

The hacker claimed they previously targeted IBM Tech Company as well, in particular internal administrators' scripts and firewall configurations for internal networks, in other posts by the same person on the cybercrime site.

The actor also stated the following exploit narrative as to how to get into Stanford University in their future posts: 
  • The actor counted all the subdomains connected to the University using the Sudomy tool. 
  • The actor then applied a path, such as -path /wp-content/plugins/, to the domains using httpx. 
  • An attacker can execute RCE on the plugin by returning data from all of the subdomains that have a valid path with the susceptible zero-day vulnerability. 

According to CloudSEK, which reported the threats, other entities could execute similar exploits using the threat actor's TTP. "Modules like these can facilitate complex ransomware assaults and persistence," the security experts said while adding that threat actors "could migrate laterally, infecting the network, to retain persistence and steal credentials." 

Actors may utilize revealed credentials to access the user's other accounts because password reuse is standard practice. For reference, the malicious actors also took credit for hacking Stanford University and Jozef Safarik University in Slovakia. 

According to reports from XVigil, official access to the domains was reportedly found in several nations, including Ukraine, Pakistan, United Arab Emirates, and Nepal. 

Carrier's Industrial Access Control System has Critical Flaws

 

Carrier's LenelS2 HID Mercury access control system, which is widely used in healthcare, academic, transport, and federal buildings have eight zero-day vulnerabilities.

In a report shared by The Hacker News, Trellix security experts Steve Povolny and Sam Quinn wrote, "The vulnerabilities found to enable us to demonstrate the ability to remotely open and lock doors, manipulate alarms, and degrade logging and notification systems." 

The investigation begins at the hardware level; Researchers were able to change onboard components and connect with the device by using the manufacturer's built-in ports. 

They were able to gain root access to the device's operating system and extract its firmware for virtualization and vulnerability or other exploits using a combination of known and unique techniques. One of the issues (CVE-2022-31481) contains an unauthorized remote execution weakness with a CVSS severity rating of 10 out of 10. The following is the detailed list of flaws: 
  • Unauthenticated command injection vulnerability CVE-2022-31479. 
  • Unauthenticated denial-of-service vulnerability CVE-2022-31480.
  • CVSS 10 rated RCE vulnerability is CVE-2022-31481. 
  • Unauthenticated denial-of-service vulnerability CVE-2022-31482. 
  • An authenticated arbitrary file write vulnerability, CVE-2022-31483. 
  • Unauthenticated user modification vulnerability CVE-2022-31484.
  • Unauthenticated information spoofing vulnerability CVE-2022-31485. 
  • An authenticated command injection vulnerability, CVE-2022-31486 

Carrier has issued an alert in response to the revelation, which includes further details, mitigations, and firmware patches that consumers should apply right now. 

In locations where physical access to privileged facilities is required, LenelS2 is used to connect with more complicated building automation implementations. The following LenelS2 HID Mercury access or unauthorized access panels are affected: 
  • LNL-X2210 
  • LNL-X2220 
  • LNL-X3300 
  • LNL-X4420
  • LNL-4420 
  • S2-LP-1501 
  • S2-LP-1502 
  • S2-LP-2500, as well as 
  • S2-LP-4502 

According to a study conducted by IBM in 2021, the average cost of a physical data breach is 3.54 million dollars, with a detection time of 223 days. 

For companies that rely on access control systems to protect the security and safety of its facilities, the stakes are high. "ICS security presents unique issues," according to the US Cybersecurity and Infrastructure Security Agency (CISA). 

The increasing convergence of information technology (IT) and operational technology (OT) presents chances for exploitation that could result in catastrophic repercussions, including loss of life, economic damage, and disruption of society's National Critical Functions (NCFs)."

Consumers should be aware that while the vulnerabilities revealed recently may appear to have minimal impact created by hackers, critical infrastructure assaults have a significant impact on our everyday lives.

Prometheus Ransomware's Bugs Inspired Researchers to Try to Build a Near-universal Decryption Tool

 

Prometheus, a ransomware variant based on Thanos that locked up victims' computers in the summer of 2021, contained a major "vulnerability" that prompted IBM security researchers to attempt to create a one-size-fits-all ransomware decryptor that could work against numerous ransomware variants, including Prometheus, AtomSilo, LockFile, Bandana, Chaos, and PartyTicket. 

Despite the fact that the IBM researchers were able to erase the work of many ransomware versions, the panacea decryptor never materialised. According to Andy Piazza, IBM worldwide head of threat intelligence, the team's efforts indicated that while some ransomware families may be reverse-engineered to produce a decryption tool, no organisation should rely on decryption alone as a response to a ransomware assault. 

“Hope is not a strategy,” Piazza said at RSA Conference 2022, held in San Francisco in person for the first time in two years. 

Aaron Gdanski, who was assisted by security researcher Anne Jobman, stated he became interested in developing a Prometheus decryption tool when one of IBM Security's clients got infected with the ransomware. He started by attempting to comprehend the ransomware's behaviour: Did it persist in the environment? Did it upload any files? And, more particularly, how did it produce the keys required to encrypt files? 

Gdanski discovered that Prometheus' encryption process relied on both "a hardcoded initialization vector that did not vary between samples" and the computer's uptime by using the DS-5 debugger and disassembler. Gdanski also discovered that Prometheus generated its seeds using a random number generator that defaulted to Environment.

“If I could obtain the seed at the time of encryption, I could use the same algorithm Prometheus did to regenerate the key it uses,” Gdanski stated. 

Gdanski had a starting point to focus his investigation after obtaining the startup time on an afflicted system and the recorded timestamp on an encrypted file. Gdanski developed a seed from Prometheus after some further computations and tested it on sections of encrypted data. Gdanski's efforts were rewarded with some fine-tuning. Gdanski also discovered that the seed changed based on when a file was encrypted. That meant that a single decryption key would not work, but he was able to gradually generate a series of seeds that could be used for decryption by sorting the encrypted files by the last write time on the system. 

Gdanski believes the result might be applied to other ransomware families that rely on similar flawed random number generators. “Any time a non-cryptographically secure random number generator is used, you’re probably able to recreate a key,” Gdanski stated. 

However, Gdanski stressed that this problem is unusual in his experience. As Piazza emphasised, the best protection against ransomware isn't hoping that the ransomware used in an assault is badly executed, it’s preventing a ransomware attack before it happens.

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.

Researchers Learn from ITG18 Group's OpSec Mistakes

 

A team of IBM X-Force security experts analyzed attackers' operational security mistakes to disclose the core details of how the group functions and launches attacks in their analysis of a group known as ITG18, also identified as Charming Kitten and Phosphorous. 

ITG18 has a history of targeting high-profile victims, journalists, nuclear experts, and persons working on the COVID-19 vaccine research. It is linked to Iranian government operations. It was related to an assault in late 2019. 

Richard Emerson, senior threat hunt analyst with IBM X-Force stated, "How we define this group is they're primarily focused on phishing and targeting personal accounts, although there's evidence that they may also go after corporate accounts as well." Based on the amount of infrastructure it has registered, researchers believe it to be a "rather sizable organization" - Emerson adds that they have over 2,000 indicators connected to this group alone during the last couple of years. 

According to Allison Wikoff, a senior strategic cyber-threat analyst at IBM X-Force, the team achieved "a major breakthrough" in studying ITG18 behavior while examining an attack on executives at a COVID-19 research center. 

Researchers collected indicators that are linked with attackers' activities on a regular basis; when investigating ITG18's activity, the team discovered flaws in the attackers' infrastructure, resulting in a plethora of fresh information. 

"When we saw this open server, we collected videos and exfiltrated information. Over the course of the last 18 months, we've continually seen the same errors from this group," she added. 

Researchers discovered training videos used by the group among the data they gathered. These details include how the organization maintains access to hacked email accounts, how attackers exfiltrate data, and how they build on compromises with stolen data. The videos gave investigators a better understanding of the procedures, yet the mistakes persisted. 

ITG18 has a habit of misconfiguring its servers to leave listable folders, according to Emerson. Anyone with access to the IP address or domain can read the files without requiring authentication. The group keeps their stolen data on numerous of these servers, where anybody might find massive, archived files ranging from 1GB to 100–150GB — all of which could be related to a single targeted individual. Researchers have also discovered ITG18 storing tools on these misconfigured servers, some of which are genuine and others which are custom. 

According to Emerson and Wikoff, the group's new Android remote access Trojan is used to infect the targets they track on a regular basis. The code was dubbed "LittleLooter."  

ITG18's blunders have benefited Emerson and Wikoff in painting a more comprehensive view of how the organization functions and speculating on what its future activities would entail. Wikoff points out that the assaults aren't particularly complex, and that the study shows they aren't likely to evolve. 

"The interesting thing about this particular group is that the tactics haven't really changed all that much in the four to five years [we] have been laser-focused on it," she added. 

Others have previously reported on ITG18's misconfigured servers, so the attackers are likely aware of the problem but haven't rectified it. It appears that the group either does not want to fix the error, does not want to modify their operating tempo, or that another factor is at play. 

While many defensive suggestions aren't specific to ITG18, multifactor authentication is a significant deterrent for these attackers, Wikoff points out that this group is complicated because they primarily target personal resources. 

Even though companies control their workers' personal information, these attacks may compromise corporate security. Emerson advised that businesses should examine how they would respond if an employee is harmed in one of these assaults and how they can teach staff to be aware of the dangers they face.

IBM: Cyber attacks on Linux systems of Russian government agencies will increase

The problem will also affect Russian government agencies, which are switching to domestic Linux operating systems as part of import substitution. Businesses that have started actively using the cloud against the background of the pandemic face increased costs: attackers can hack their cloud environments and use them for mining cryptocurrencies and DDoS attacks.

According to the IBM report on the main information security risks in 2021, the number of attacks on cloud environments and open-source Linux operating systems will increase this year. Users of Russian operating systems on Linux can also suffer, said Oleg Bakshinsky, a leading information security adviser for IBM in Russia.

The attackers began using the extensible computing power of Linux-based cloud environments, said Mr. Bakshinsky.

The customer can enable the service in their cloud settings, and at times of peak loads, their resources will be expanded for an additional fee. Attackers take advantage of this by gaining unauthorized access to the victim's cloud environment, increasing the company's costs for paying for cloud services.

The authorities have already acknowledged the problem. So, to check the security of operating systems based on Linux, the Federal Service for Technical and Export Control of Russia will create a research center for 300 million rubles ($4 million).

Cybersecurity experts also confirmed the growing interest of hackers in Linux systems. Check Point records about 20 attacks on Linux-based cloud environments in Russia, which is 3.45% of the total number of such attacks worldwide.

The main targets of the attackers, according to Nikita Durov, technical director of Check Point in Russia, are the financial industry and the government.

Alexander Tyurnikov, head of software development at Cross Technologies, is convinced that attacks on cloud environments "will not be so large-scale as to lead to the collapse of state and commercial systems."

IBM announces 1000 STEM internship opportunities for students


Petrarch once said, "Sameness is the mother of disgust, variety the cure". And we as a society believe quite strongly in diversity, it is the core of our harmonious existence; even research proves that diverse companies produce 19% more revenue. Most companies today give considerable weightage to being diverse and inclusive, one of them being IBM.

IBM, a highly innovative and research-focused company has always been inclusive in its approach with its ingenious programs like "creating new pathways to science, technology, engineering and math careers with Pathways in Technology Early College High School also known as P-TECH".

 "The fight against racism and racial inequality is as urgent as ever. Despite much progress since the Civil Rights movement, Black people are still significantly affected by poverty, unemployment, segregated housing, and other injustices in the United States.", they wrote on their website.

And with the same thought, IBM has announced to provide 1000 internships for the United States P-TECH students instead of the 150 they used to earlier.

"At IBM, one way we are taking action in advocating for social justice and racial equality is by advancing education, skills, and jobs. Today, as part of our ongoing efforts, we are pleased to announce the creation of 1,000 paid internships for P-TECH students in the United States from now until December 31, 2021. This commitment is a 10x incremental increase from our most recent internship goals." announced the company.

P-TECH is a unique program by IBM, where students from grade 9-11 are prepared with STEM training, mentorship, and work experience. The students earn a high school diploma, a two-year associate degree and work experience, and ample opportunities to enter the tech field. STEM, a science, technology, engineering, and mathematics field has lead the global innovation bar but it is also a field where still minorities are much unrepresented and IBM steps to endeavor this issue with their 1000 free internships program.

 "We aspire to create more open and equitable pathways to employment for all regardless of background. It’s about generating the skills and training that lead to good jobs. We will continue the fight to bring new faces to the tech industry that truly reflect the demographics of our communities.", IBM writes on P-TECH programs announcing the new internship opportunities.

Researchers found Third-Party costs the Healthcare Industry $23.7 Billion a Year






The average cost of a data breach has increased to 12% over the past five years to US$3.92 million, according to a report sponsored by tech giant IBM.

The report released by Censinet and the Ponemon Institute which was funded by IBM, conducted research on more than 500 companies around the world that suffered a breach over the past year.

According to the report, 72 percent of respondents believe that the increasing dependence on third party medical devices to the network is most risky, while 68 percent say connecting medical devices to the internet increases the risk of cyberattack. 

“This research confirms that healthcare providers require a better, more cost-effective approach to third-party risk management,” said Ed Gaudet, CEO, and founder of Censinet. “The adoption of technology in healthcare is more rapid and complicated than ever before. As an industry, we must help providers safely enable cloud applications and medical devices optimized to deliver the quality of care hospitals and their patients expect.”

In India, on an average, 35,636 records were compromised in a data breach, and cost ₹12.8 crore to organizations from July 2018 and April 2019,


“It’s clear that healthcare providers are in a tough spot. The number of vendors they rely on is increasing at the same time the threats those vendors pose are escalating in frequency and severity, so it’s easy to see how managing these risks has become an overwhelming problem,” said Dr. Ponemon, chairman and founder of the Ponemon Institute. “But it’s not all bad news – we can very clearly see an opportunity with automation for healthcare providers to monitor, measure, and mitigate the scourge of third-party breaches that continues to plague their industry.”

Cybercriminal Gang behind $100million theft busted









An international cybercrime network that used Russian malware to steal $100 million from tens of thousands of victims have been busted by the joint operation of Unites States and European police.  

The gang used an extremely powerful GozNym banking malware to infect the computers which allowed them to steal the user’s bank login details, it involves "more than 41,000 victims, primarily businesses and their financial institutions," Europol said. 

The malware GozNym is a combination of two other malware — Gozi and Nymaim. According to the IBM X-Force Research team the malware took the most powerful elements of each one. “From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi parts add the banking Trojan’s capabilities to facilitate fraud via infected internet browsers,” the team said, adding: “The end result is a new banking Trojan in the wild.”

The prosecutions have been launched against the gang in Georgia, Moldova, Ukraine and the United States. While five Russians charged in the US remain on the run, the EU police agency Europol said.

Alexander Konovolov, 35, of Tbilisi, Georgia, is a prime accused and the leader of the network, and  is currently being prosecuted in Georgia.


Police in Germany and Bulgaria were also involved.

Hewlett Packard Enterprise and IBM Networks Breached by China; Clients Targeted




In order to gain access to the clients' computer, hackers of the China's Ministry of State Security breached the networks of Hewlett Packard Enterprise and IBM.

Being a part of the Chinese campaign Cloudhopper, the attacks tainted technology service providers in order to steal secrets from their clients. While the International Business Machines Corp said it had no proof regarding the sensitive corporate data being co promised, Hewlett Packard Enterprises (HPE) simply chose not to comment on the campaign.

Albeit multiple warnings were issued by numerous administration organizations in addition to many cybersecurity firms about the Cloudhopper danger since 2017, the identity of  the technology companies whose networks were imperilled has still not being revealed yet.

As indicated by a U.S. federal indictment of two Chinese nationals unsealed on the 20th of December, Cloudhopper was for the most part centered on targeting the MSPs in order to easily access the client networks and stealing corporate secrets from organizations around the world.

While both IBM and HPE refused to comment on the explicit claims made by the sources, however they did give a statement each,

"IBM has been aware of the reported attacks and already has taken extensive counter-measures worldwide as part of our continuous efforts to protect the company and our clients against constantly evolving threats. We take responsible stewardship of client data very seriously, and have no evidence that sensitive IBM or client data has been compromised by this threat."

HPE said,"The security of HPE customer data is our top priority. We are unable to comment on the specific details described in the indictment, but HPE's managed services provider business moved to DXC Technology in connection with HPE's divestiture of its Enterprise Services business in 2017." 

Reuters was neither able affirm the names of other breached technology firms nor recognize any affected users.

Cloudhopper, which has been focusing on technology services providers for quite a long while, is known to have been penetrated the systems of HPE and IBM on numerous occasions in breaches that have gone on for a considerable length of time.

While IBM examined an attack as of late as this mid-year, HPE was not far behind as it directed a huge breach investigation in mid-2017.