Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label IBM. Show all posts
IBM Security
AI governance AI Risks AI Systems AI technology Breaches Cyber Security Data Breaches data security IBM IBM research IBM Security

Racing Ahead with AI, Companies Neglect Governance—Leading to Costly Breaches

 

Organizations are deploying AI at breakneck speed—so rapidly, in fact, that foundational safeguards like governance and access controls are being sidelined. The 2025 IBM Cost of a Data Breach Report, based on data from 600 breached companies, finds that 13% of organizations have suffered breaches involving AI systems, with 97% of those lacking basic AI access controls. IBM refers to this trend as “do‑it‑now AI adoption,” where businesses prioritize quick implementation over security. 

The consequences are stark: systems deployed without oversight are more likely to be breached—and when breaches occur, they’re more costly. One emerging danger is “shadow AI”—the widespread use of AI tools by staff without IT approval. The report reveals that organizations facing breaches linked to shadow AI incurred about $670,000 more in costs than those without such unauthorized use. 

Furthermore, 20% of surveyed organizations reported such breaches, yet only 37% had policies to manage or detect shadow AI. Despite these risks, companies that integrate AI and automation into their security operations are finding significant benefits. On average, such firms reduced breach costs by around $1.9 million and shortened incident response timelines by 80 days. 

IBM’s Vice President of Data Security, Suja Viswesan, emphasized that this mismatch between rapid AI deployment and weak security infrastructure is creating critical vulnerabilities—essentially turning AI into a high-value target for attackers. Cybercriminals are increasingly weaponizing AI as well. A notable 16% of breaches now involve attackers using AI—frequently in phishing or deepfake impersonation campaigns—illustrating that AI is both a risk and a defensive asset. 

On the cost front, global average data breach expenses have decreased slightly, falling to $4.44 million, partly due to faster containment via AI-enhanced response tools. However, U.S. breach costs soared to a record $10.22 million—underscoring how inconsistent security practices can dramatically affect financial outcomes. 

IBM calls for organizations to build governance, compliance, and security into every step of AI adoption—not after deployment. Without policies, oversight, and access controls embedded from the start, the rapid embrace of AI could compromise trust, safety, and financial stability in the long run.
Read more »
Visa
Artificial Intelligence IBM OpenAI shopping Technology Visa

AI Can Now Shop for You: Visa’s Smart Payment Platform

 



Visa has rolled out a new system that allows artificial intelligence (AI) to not only suggest items to buy but also complete purchases for users. The newly launched platform, called Visa Intelligent Commerce, lets AI assistants shop on your behalf — while keeping your financial data secure.

The announcement was made recently during Visa’s event in San Francisco. This marks a step towards AI taking on more day-to-day tasks for users, including buying products, booking services, and managing online orders — all based on your instructions.


AI That Does More Than Just Help You Shop

Today, many AI tools can help people find products or services online. But when it comes to actually completing the purchase, those systems often stop short. Visa is working to close that gap by allowing these tools to also handle payments.

To do this, Visa has teamed up with top tech companies like Microsoft, IBM, OpenAI, Samsung, and others. Their combined goal is to build a secure way for AI to handle payments without needing access to your actual card details.


How the Technology Works

Instead of using your real credit or debit card numbers, the platform turns your card information into a digital token — a safe, coded version of your payment data. These tokens are used by approved AI agents when carrying out transactions.

Users still stay in control. You can set limits on how much the AI can spend, pick which types of stores it’s allowed to use, or even require a manual approval before it pays.

For example, you might ask your AI to book a hotel room under a certain price or order groceries every week. The AI would then search websites, compare options, and make the purchase — all without you needing to fill out your payment details each time.


Safety Is the Main Priority

Visa is aware that letting AI spend money on your behalf might raise concerns. That’s why they’ve built strong protections into the system. Only AI agents that you’ve approved can access your tokenized payment info. Every transaction is monitored in real time by Visa’s fraud-detection systems — which have already helped prevent billions in fraud before.

The company is also using data tools that protect your privacy. When the AI needs data to personalize your shopping, it uses temporary access methods that keep you in charge of what’s shared.

Visa believes this could be the next big change in online shopping, similar to past shifts from physical stores to websites, and then from computers to phones. With their global network already in place, Visa is prepared to support this new way of shopping across many countries.

Developers can start using the tools now, and test programs will roll out soon. As AI becomes part of daily life, Visa hopes this new system will make everyday shopping faster, easier, and more secure.

Read more »
Ransomware
AI Akira Credentials Cyber Crime IBM phishing Ransomware

Cybercriminals Are Now Focusing More on Stealing Credentials Than Using Ransomware, IBM Warns

 



A new report from IBM’s X-Force 2025 Threat Intelligence Index shows that cybercriminals are changing their tactics. Instead of mainly using ransomware to lock systems, more hackers are now trying to quietly steal login information. IBM studied over 150 billion security events each day from 130+ countries and found that infostealers, a type of malware sent through emails to steal data, rose by 84% in 2024 compared to 2023.

This change means that instead of damaging systems right away, attackers are sneaking into networks to steal passwords and other sensitive information. Mark Hughes, a cybersecurity leader at IBM, said attackers are finding ways into complex cloud systems without making a mess. He also advised businesses to stop relying on basic protection methods. Instead, companies should improve how they manage passwords, fix weaknesses in multi-factor authentication, and actively search for hidden threats before any damage happens.

Critical industries such as energy, healthcare, and transportation were the main targets in the past year. About 70% of the incidents IBM helped handle involved critical infrastructure. In around 25% of these cases, attackers got in by taking advantage of known flaws in systems that had not been fixed. Many hackers now prefer stealing important data instead of locking it with ransomware. Data theft was the method in 18% of cases, while encryption-based attacks made up only 11%.

The study also found that Asia and North America were attacked the most, together making up nearly 60% of global incidents. Asia alone saw 34% of the attacks, and North America had 24%. Manufacturing businesses remained the top industry targeted for the fourth year in a row because even short outages can seriously hurt their operations.

Emerging threats related to artificial intelligence (AI) were also discussed. No major attacks on AI systems happened in 2024, but experts found some early signs of possible risks. For example, a serious security gap was found in a software framework used to create AI agents. As AI technology spreads, hackers are likely to build new tools to attack these systems, making it very important to secure AI pipelines early.

Another major concern is the slow pace of fixing vulnerabilities in many companies. IBM found that many Red Hat Enterprise Linux users had not updated their systems properly, leaving them open to attacks. Also, ransomware groups like Akira, Lockbit, Clop, and RansomHub have evolved to target both Windows and Linux systems.

Lastly, phishing attacks that deliver infostealers increased by 180% in 2024 compared to the year before. Even though ransomware still accounted for 28% of malware cases, the overall number of ransomware incidents fell. Cybercriminals are clearly moving towards quieter methods that focus on stealing identities rather than locking down systems.


Read more »
Quantum computing
Algorithm Cyber Security data security Digital Communication IBM Quantum computing

NIST Approves IBM's Quantum-Safe Algorithms for Future Data Security

 


In a defining move for digital security, the National Institute of Standards and Technology (NIST) has given its official approval to three quantum-resistant algorithms developed in collaboration with IBM Research. These algorithms are designed to safeguard critical data and systems from the emerging threats posed by quantum computing.

The Quantum Computing Challenge

Quantum computing is rapidly approaching, bringing with it the potential to undermine current encryption techniques. These advanced computers could eventually decode the encryption protocols that secure today’s digital communications, financial transactions, and sensitive information, making them vulnerable to breaches. To mitigate this impending risk, cybersecurity experts are striving to develop encryption methods capable of withstanding quantum computational power.

IBM's Leadership in Cybersecurity

IBM has been at the forefront of efforts to prepare the digital world for the challenges posed by quantum computing. The company highlights the necessity of "crypto-agility," the capability to  modify cryptographic methods to prepare in the face of rapid development of security challenges. This flexibility is especially crucial as quantum computing technology continues to develop, posing new threats to traditional security measures.

NIST’s Endorsement of Quantum-Safe Algorithms

NIST's recent endorsement of three IBM-developed algorithms is a crucial milestone in the advancement of quantum-resistant cryptography. The algorithms, known as ML-KEM for encryption and ML-DSA and SLH-DSA for digital signatures, are integral to IBM's broader strategy to ensure the resilience of cryptographic systems in the quantum era.

To facilitate the transition to quantum-resistant cryptography, IBM has introduced two essential tools: the IBM Quantum Safe Explorer and the IBM Quantum Safe Remediator. The Quantum Safe Explorer helps organisations identify which cryptographic methods are most susceptible to quantum threats, guiding their prioritisation of updates. The Quantum Safe Remediator, on the other hand, provides solutions to help organisations upgrade their systems with quantum-resistant cryptography, ensuring continued security during this transition.

As quantum computing technology advances, the urgency for developing encryption methods that can withstand these powerful machines becomes increasingly clear. IBM's contributions to the creation and implementation of quantum-safe algorithms are a vital part of the global effort to protect digital infrastructure from future threats. With NIST's approval, these algorithms represent a meaningful leap forward in securing sensitive data and systems against quantum-enabled attacks. By promoting crypto-agility and offering tools to support a smooth transition to quantum-safe cryptography, IBM is playing a key role in building a more secure digital future.


Read more »
Paradoxical Cyberattacks
Cyber Breach Cyber Security Cyberattacks CyberCrime Cyberhackers CyberThreat IBM Paradoxical Cyberattacks

The Unyielding Struggle of Cybersecurity and Its Paradoxical Dilemma

 


The topic of cybersecurity has undoubtedly become one of the most pressing issues on the business agenda over the last few years. Despite the many technological advancements, malicious attacks are constantly on the rise as a result of the digitalization of business practices. IMF estimations claim that it has more than doubled since the beginning of the pandemic. 

During the year 2023, the number of data breaches has increased by 20 per cent over the year 2022, according to a recent report. Several threats can compromise sensitive information of both companies and their clients, halt enterprise operations, and result in substantial financial losses incurred by the organization. In 2023, IBM reported that the average cost of a data breach per venture was $4.45 million, which equates to a 30 per cent increase in the startup price. 

It represents a 14 per cent increase from last year, a 2.3 per cent increase from last year, and a 15.3 per cent increase from 2020, making it an all-time high. Depending on the size of the company, the financial burden may be greater for some than for others. Taking Equifax's major breach in the US credit reporting agency, which affected 150 million consumers, as an example, the company paid over $1 billion in penalties following the breach in 2017. 

Further, malicious activities have the potential to affect companies in several ways, including immediate financial losses, but also long-term issues with efficiency and effectiveness. It has been found that one of the consequences of these kinds of events is that they undermine the reputation of a company. It is in turn consequential in that it can lessen a company's chances for obtaining future funding or compromise its ability to expand its client base. 

The additional cost of patching a breach is also very great for organizations, often costing a lot of money. It was recently reported that one of the most prominent marketplaces for in-game goods globally lost 11 million dollars worth of goods due to a security breach. Despite its revenue increase, this incident has affected its audience in terms of repulsion, which has affected the site's revenue increase. During that period, the company was forced to suspend all operations as a result of securing the platform and strengthening its security. 

 Attempting to eliminate these issues from reoccurring, businesses are putting increasingly sophisticated barriers in place to prevent the possibility of hackers exploiting their systems. The amount of money being spent on various cybersecurity tools is an indication that this is the case. A recent study indicates that the market will reach an estimated $80 billion by 2023, based on the data provided. According to statistics, the total expenditure in 2022 is estimated to be $71.1 billion. The projected expenditure on cybersecurity is expected to reach $87 billion this year. 

Companies are investing in a diverse range of solutions, including advanced encryption, multi-factor authentication, and real-time threat detection systems. However, an ironic issue emerges: as cybersecurity advances, malicious actors simultaneously innovate and escalate their tactics. They scrutinize the technologies deployed to protect assets and identify weak points to breach these defenses. For example, the advent of quantum computing offers the promise of stronger encryption methods. 

Yet, it also poses a potential threat, as cybercriminals could exploit quantum capabilities to break current encryption standards. Similarly, while multi-cloud architecture enhances risk resilience by distributing data across multiple platforms, it also expands the attack surface. The broader network perimeter introduces more points of vulnerability. Microsoft reports that securing all cloud-native applications and infrastructure throughout their lifecycle is challenging for many businesses. 

Their 2023 report indicates that the average organization had 351 exploitable attack paths that threat actors could use to access high-value assets. This cat-and-mouse dynamic is particularly evident among large companies. A growing trend is that while big firms are enhancing their layers of protection, hackers are increasingly targeting small and medium-sized enterprises (SMEs). SMEs often have fewer resources to invest in cybersecurity, making them easier targets for malicious actors. As of 2023, 31% of SMEs experienced a cybersecurity breach in the previous 12 months. 

Another paradox is that these malicious organizations are often small-scale entities themselves, contrary to popular belief. These so-called private sector offensive actors usually have limited resources compared to giants like Microsoft or other large firms. However, they do not require large budgets, as identifying software vulnerabilities is significantly less complex and costly than creating the software itself. To illustrate, it is much easier for a teacher to check 30 homework than for a single student to prepare the same number of papers from scratch. 

While large malicious actors certainly exist in the field, their impact on cybersecurity is often overshadowed by the influence of thousands or even tens of thousands of independent hackers. Given this paradox, businesses must adopt a holistic and proactive approach to cybersecurity. Organizations should invest in comprehensive security frameworks that encompass prevention, detection, and rapid response to any suspicious activities. Employee training is also crucial. 

Human error remains one of the weakest links in cybersecurity. Indeed, 95% of modern cybersecurity breaches are caused by human mistakes, such as setting weak passwords. Moreover, only one-third of breaches identified in 2023 were detected by the company’s security team. This underscores the necessity for organizations to train their employees to recognize and respond to potential threats, thereby reducing the number of successful attacks. 

Furthermore, collaboration is essential. The public and private sectors must work together to share intelligence and develop unified strategies to combat cyber threats. Information sharing can lead to more robust defences and a collective understanding of emerging threats. Continuous monitoring of the cybersecurity field, adaptation, and modernization—or even radical changes to solutions—are imperative. As cybersecurity expert Bruce Schneier famously stated, security is a process, not a one-time product.
Read more »
Technology
AI energy efficiency brain-inspired computing cryptocurrency energy consumption IBM Intel Loihi 2 chip neuromorphic computing NorthPole chip NVIDIA rising energy demands SpiNNcloud Systems Technology

Could Brain-Like Computers Be a Game Changer in the Tech Industry?

 

Modern computing's demand for electricity is growing at an alarming pace. By 2026, energy consumption by data centers, artificial intelligence (AI), and cryptocurrency could potentially double compared to 2022 levels, according to a report from the International Energy Agency (IEA). The IEA estimates that by 2026, these sectors' energy usage could be equivalent to Japan's annual energy consumption.

Companies like Nvidia, which produces chips for most AI applications today, are working on developing more energy-efficient hardware. However, another approach could be to create computers with a fundamentally different, more energy-efficient architecture.

Some companies are exploring this path by mimicking the brain, an organ that performs more operations faster than conventional computers while using only a fraction of the power. Neuromorphic computing involves electronic devices imitating neurons and synapses, interconnected similarly to the brain's electrical network.

This concept isn't new; researchers have been investigating it since the 1980s. However, the rising energy demands of the AI revolution are increasing the urgency to bring this technology into practical use. Current neuromorphic systems mainly serve as research tools, but proponents argue they could greatly enhance energy efficiency.

Major companies like Intel and IBM, along with several smaller firms, are pursuing commercial applications. Dan Hutcheson, an analyst at TechInsights, notes, "The opportunity is there waiting for the company that can figure this out... it could be an Nvidia killer." In May, SpiNNcloud Systems, a spinout from the Dresden University of Technology, announced it would begin selling neuromorphic supercomputers and is currently taking pre-orders.

Hector Gonzalez, co-chief executive of SpiNNcloud Systems, stated, "We have reached the commercialization of neuromorphic supercomputers ahead of other companies." Tony Kenyon, a professor at University College London, adds, "While there still isn’t a killer app... there are many areas where neuromorphic computing will provide significant gains in energy efficiency and performance, and I’m sure we’ll start to see wide adoption as the technology matures."

Neuromorphic computing encompasses various approaches, from a brain-inspired design to near-total simulation of the human brain, though we are far from achieving the latter. Key differences from conventional computing include the integration of memory and processing units on a single chip, which reduces energy consumption and speeds up processing.

Another common feature is an event-driven approach, where imitation neurons and synapses activate only when they have something to communicate, akin to the brain's function. This selective activation saves power compared to conventional computers that are always on.

Additionally, while modern computers are digital, neuromorphic computing can also be analog, relying on continuous signals, which is useful for analyzing real-world data. However, most commercially focused efforts remain digital for ease of implementation.

Commercial applications of neuromorphic computing are envisioned in two main areas: enhancing energy efficiency and performance for AI applications like image and video analysis, speech recognition, and large-language models such as ChatGPT, and in "edge computing" where data is processed in real-time on connected devices under power constraints. Potential beneficiaries include autonomous vehicles, robots, cell phones, and wearable technology.

However, technical challenges persist, particularly in developing software for these new chips, which requires a completely different programming style from conventional computers. "The potential for these devices is huge... the problem is how do you make them work," Hutcheson says, predicting that it could take one to two decades before neuromorphic computing's benefits are fully realized. Cost is another issue, as creating new chips, whether using silicon or other materials, is expensive.

Intel's current prototype, the Loihi 2 chip, is a significant advancement in neuromorphic computing. In April, Intel announced Hala Point, a large-scale neuromorphic research system comprising 1,152 Loihi 2 chips, equating to over 1.15 billion neurons and 128 billion synapses—about the neuron capacity of an owl brain. Mike Davies, director of Intel's neuromorphic computing lab, says Hala Point shows real viability for AI applications and notes rapid progress on the software side.

IBM's latest brain-inspired prototype chip, NorthPole, is an evolution of its previous TrueNorth chip. According to Dharmendra Modha, IBM's chief scientist of brain-inspired computing, NorthPole is more energy and space efficient and faster than any existing chip. IBM is now working to integrate these chips into a larger system, with Modha highlighting that NorthPole was co-designed with software to fully exploit its architecture from the outset.

Other smaller neuromorphic companies include BrainChip, SynSense, and Innatera. SpiNNcloud’s supercomputers commercialize neuromorphic computing developed at TU Dresden and the University of Manchester under the EU’s Human Brain Project. This project has produced two research-purpose supercomputers: SpiNNaker1 at Manchester, operational since 2018 with over one billion neurons, and SpiNNaker2 at Dresden, capable of emulating at least five billion neurons and currently being configured. SpiNNcloud's commercial systems are expected to emulate at least 10 billion neurons.

According to Professor Kenyon, the future will likely feature a combination of conventional, neuromorphic, and quantum computing platforms, all working together.
Read more »
XDR Firm
CISO Cyber Security IBM Palo Alto Networks Software XDR Firm

IBM's Exit from Cybersecurity Software Shakes the Industry


 

In an unexpected move that has disrupted the cybersecurity equilibrium, IBM has announced its exit from the cybersecurity software market by selling its QRadar SaaS portfolio to Palo Alto Networks. This development has left many Chief Information Security Officers (CISOs) rethinking their procurement strategies and vendor relationships as they work to rebuild their Security Operations Centers (SOCs).

IBM's QRadar Suite: A Brief Overview

The QRadar Suite, rolled out by IBM in 2023, included a comprehensive set of cloud-native security tools such as endpoint detection and response (EDR), extended detection and response (XDR), managed detection and response (MDR), and key components for log management, including security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms. The suite was recently expanded to include on-premises versions based on Red Hat OpenShift, with plans for integrating AI capabilities through IBM's Watsonx AI platform.

The agreement, expected to close by the end of September, also designates IBM Consulting as a "preferred managed security services provider (MSSP)" for Palo Alto Networks customers. This partnership will see the two companies sharing a joint SOC, potentially benefiting customers looking for integrated security solutions.

Palo Alto Networks has assured that feature updates and critical fixes will continue for on-premises QRadar installations. However, the long-term support for these on-premises solutions remains uncertain.

Customer Impact and Reactions

The sudden divestiture has taken the cybersecurity community by surprise, particularly given IBM's significant investment in transforming QRadar into a cloud-native platform. Eric Parizo, managing principal analyst at Omdia, noted the unexpected nature of this move, highlighting the substantial resources IBM had dedicated to QRadar's development.

Customers now face a critical decision: migrate to Palo Alto's Cortex XSIAM platform or explore other alternatives. Omdia's research indicates that IBM's QRadar was the third-largest next-generation SIEM provider, trailing only Microsoft and Splunk (now part of Cisco). The sudden shift has left many customers seeking clarity and solutions.

Market Dynamics

This acquisition comes at a pivotal time in the cybersecurity industry, with SIEM, SOAR, and XDR technologies increasingly converging into unified SOC platforms. Major players like AWS, Microsoft, Google, CrowdStrike, Cisco, and Palo Alto Networks are leading this trend. Just before IBM's announcement, Exabeam and LogRhythm revealed their merger plans, aiming to combine their SIEM and user and entity behaviour analytics (UEBA) capabilities.

Forrester principal analyst Allie Mellen pointed out that IBM's QRadar lacked a fully-fledged XDR offering, focusing more on EDR. This gap might have influenced IBM's decision to divest QRadar.

For Palo Alto Networks, acquiring QRadar represents a significant boost. The company plans to integrate QRadar's capabilities with its Cortex XSIAM platform, known for its automation and MDR features. While Palo Alto Networks has made rapid advancements with Cortex XSIAM, analysts like Parizo believe it still lacks the maturity and robustness of IBM's QRadar.

Palo Alto Networks intends to offer free migration paths to its Cortex XSIAM for existing QRadar SaaS customers, with IBM providing over 1,000 security consultants to assist with the transition. This free migration option will also extend to "qualified" on-premises QRadar customers.

The long-term prospects for QRadar SaaS under Palo Alto Networks remain unclear. Analysts suggest that the acquisition aims to capture QRadar's customer base rather than sustain the product. As contractual obligations expire, customers will likely need to transition to Cortex XSIAM or consider alternative vendors.

A notable aspect of the agreement is the incorporation of IBM's Watsonx AI into Cortex XSIAM, which will enhance its Precision AI tools. Gartner's Avivah Litan highlighted IBM's strong AI capabilities, suggesting that this partnership could benefit both companies.

In conclusion, IBM's exit from the cybersecurity software market marks a paradigm shift, prompting customers to reevaluate their security strategies. As Palo Alto Networks integrates QRadar into its offerings, the industry will closely watch how this transition unfolds and its impact.




Read more »
Two Factor Authentication
CrowdStrike Cyber Attacks cybercriminals Employee Data Employees IBM Identity Theft MFA phishing Two Factor Authentication

Safeguarding Your Employee Data From Identity Theft

 

In today's digital age, where data breaches and cyberattacks are increasingly common, safeguarding against identity-based attacks has become paramount for organizations worldwide. Identity-based attacks, which involve the unauthorized access to sensitive information through compromised user credentials, pose significant risks to businesses of all sizes and industries. 

As CrowdStrike reported, 80% of attacks involve identity and compromised credentials, highlighting the widespread nature of this threat. Additionally, an IBM report found that identity-related attacks are now the top vector impacting global cybercrime, with a staggering 71% yearly increase. 

Cybercriminals employ various tactics to carry out identity-based attacks, targeting organizations through phishing campaigns, credential stuffing, password spraying, pass-the-hash techniques, man-in-the-middle (MitM) attacks, and more. Phishing campaigns, for example, involve the mass distribution of deceptive emails designed to trick recipients into divulging their login credentials or other sensitive information. Spear-phishing campaigns, on the other hand, are highly targeted attacks that leverage personal information to tailor phishing messages to specific individuals, increasing their likelihood of success.  

Credential stuffing attacks exploit the widespread practice of password reuse, where individuals use the same passwords across multiple accounts. Cybercriminals obtain credentials from previous data breaches or password dump sites and use automated tools to test these credentials across various websites, exploiting the vulnerabilities of users who reuse passwords. Password spraying attacks capitalize on human behavior by targeting commonly used passwords that match the complexity policies of targeted domains. 

Instead of trying multiple passwords for one user, attackers use the same common password across many different accounts, making it more difficult for organizations to detect and mitigate these attacks. Pass-the-hash techniques involve obtaining hashed versions of user passwords from compromised systems and using them to authenticate into other systems without needing to crack the actual password. This method allows attackers to move laterally within a network, accessing sensitive data and executing further attacks. MitM attacks occur when attackers intercept network connections, often by setting up malicious Wi-Fi access points. 

By doing so, attackers can monitor users' inputs, including login credentials, and steal sensitive information to gain unauthorized access to accounts and networks. To mitigate the risk of identity-based attacks, organizations must adopt a multi-layered approach to security. This includes implementing strong password policies to prevent the use of weak or easily guessable passwords and regularly auditing user accounts for vulnerabilities. 

Multi-factor authentication (MFA) should be implemented across all applications to add an extra layer of security by requiring users to provide a second form of authentication, such as a one-time password or biometric data, in addition to their passwords. Furthermore, organizations should protect against social engineering attacks, which often target service desk staff to gain unauthorized access to sensitive information. Automated solutions can help verify user identification and reduce the risk of social engineering vulnerabilities. 

 Identity-based attacks pose significant risks to organizations, but by implementing robust security measures and remaining vigilant against evolving threats, businesses can effectively mitigate these risks and safeguard their sensitive information from cybercriminals.
Read more »
X-Force
AI Cyber Attacks CyberCrime Cybersecurity IBM Valid Accounts X-Force

IBM Signals Major Paradigm Shift as Valid Account Attacks Surge

 


As a result of IBM X-Force's findings, enterprises cannot distinguish between legitimate authentication and unauthorized access due to poor credential management. Several cybersecurity products are not designed to detect the misuse of valid credentials by illegitimate operators, and this is a major problem for organizations seeking to detect illegitimate uses. 

Henderson added that these products do not detect illegitimate activity. In addition to widespread credential reuse and a vast repository of valid credentials that are being sold on the dark web for sale, IBM also stated that cloud account credentials account for almost 90% of the assets for sale on the dark web, which is also fueling the rise of identity-based attacks. 

The practice of credential reuse, Henderson said, can deliver the same results as single sign-on providers by allowing threat actors to gain access to a large number of accounts at once. It is well known that because users reuse credentials for many, many different accounts, the credentials themselves become de facto single sign-on. 

In the year 2023, the number of phishing campaigns that were linked to attacks declined by 44% from 2022 as threat actors flocked to valid credentials. Phishing accounted for almost one in three of the total number of incidents resolved by X-Force in 2016. 

It's not a technology shift for threat actors. They are taking low-cost routes of entry to maximize their return on investment. That's what Henderson said was not a technology shift, but rather a business strategy shift on their part. According to IBM's report, organizations still need to correct the mistakes cybersecurity experts have warned about for years. 

It is Henderson's belief that the industry would be dealing with newer and bigger problems by now, but he does not seem discouraged at all. The great thing about this report is that it simplifies what we need to do, and what's great about it is that there are no things that are insurmountable highlighted in it. 

Henderson explained that focusing on the right things and prioritizing them will solve the authentication problem. Henderson added that even if authentication is solved, it will be followed by another problem. 

However, as we get more and more successful, we reduce their return on investment, making it more difficult for them to commit crimes. It takes a lot of effort to toss out the business model that governs cybercrime, and that is exactly what companies are trying to do.
Read more »
Technology
IBM IT Organization security saaS Technology

SaaS Challenges and How to Overcome Them


According to 25% of participants in an IBM study conducted in September 2022 among 3,000 companies and tech executives worldwide, security worries stand in the way of their ability to achieve their cloud-related goals. Nowadays, a lot of organizations think that using the cloud comes with hazards. However, the truth is not quite that dire; if you follow certain security best practices, the cloud may be a safe haven for your data.

Businesses need to have a solid security plan in place to handle their SaaS security concerns if they want to fully benefit from cloud computing. In the first place, what are these worries?

SaaS Challenges

  • Lack of experts in IT security. Companies compete intensely to attract qualified specialists in the tight market for IT security professionals, especially those working on cloud security. In the United States, there are often insufficient skilled workers to cover only 66% of cybersecurity job openings.
  • Problems with cloud migration. A major obstacle to cloud adoption, according to 78% of cloud decision-makers surveyed by Flexera in 2023, was a lack of resources and experience. Inexperience with cloud systems can result in security-compromising migration errors.
  • Insider dangers and data breaches. Regretfully, the largest challenge facing cloud computing is still data breaches. 39% of the firms polled in the 2023 Thales Cloud Security Study reported having data breaches.
  • SaaS enlargement. Some businesses utilize more SaaS technologies than they require. According to BetterCloud, companies used 130 SaaS apps on average in 2022, which is 18% more than in 2021. Managing multiple SaaS apps increases the amount of knowledge and error-proneness that can arise.
  • Adherence to regulations. The technology used in clouds is quite recent. As a result, there may be gaps in some SaaS standards, and industry or national compliance standards are frequently different. Security is compromised when SaaS tools are used that don't adhere to international rules or lack industry standards.
  • Security and certification requirements. To protect client data, SaaS providers must adhere to industry standards like SOC 2 and ISO 27001. Although it requires more work for vendors, certifying adherence to such standards is crucial for reducing security threats.

Monitoring Leading SaaS Security Trends

Cyberattacks will cost businesses $10.5 trillion annually by 2025, a 300% increase over 2015, predicts McKinsey. Businesses need to keep up with the latest developments in data security if they want to reduce the risk and expense of cyberattacks. They must adopt a shared responsibility model and cloud-native solutions built with DevSecOps standards to actively manage their SaaS security.


Read more »
Websites
Cyberattacks CyberCrime Cybersecurity IBM JavaScript malware Software Web Injections Websites

Sophisticated Web Injection Campaign Targets 50,000 Individuals, Pilfering Banking Data


Web injections, a favoured technique employed by various banking Trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cybercriminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. 

In a new finding, it has been revealed that the malware campaign that first came to light in March 2023 has used JavScript web injections in an attempt to steal data from over 50 banks, belonging to around 50,000 used in North America, South America, Europe, and Japan.  

IBM Security has dissected some JavaScript code that was injected into people's online banking pages to steal their login credentials, saying 50,000 user sessions with more than 40 banks worldwide were compromised by the malicious software in 2023. As IBM’s researchers explained, it all starts with a malware infection on the victim’s endpoint. 

After that, when the victim visits a malicious site, the malware will inject a new script tag which is then loaded into the browser and modifies the website’s content. That allows the attackers to grab passwords and intercept multi-factor authentication codes and one-time passwords.

IBM says this extra step is unusual, as most malware performs web injections directly on the web page. This new approach makes the attacks more stealthy, as static analysis checks are unlikely to flag the simpler loader script as malicious while still permitting dynamic content delivery, allowing attackers to switch to new second-stage payloads if needed. 

It's also worth noting that the malicious script resembles legitimate JavaScript content delivery networks (CDN), using domains like cdnjs[.]com and unpkg[.]com, to evade detection. Furthermore, the script performs checks for specific security products before execution. Judging by the evidence to hand, it appears the Windows malware DanaBot, or something related or connected to it, infects victims' PCs – typically from spam emails and other means – and then waits for the user to visit their bank website. 

At that point, the malware kicks in and injects JavaScript into the login page. This injected code executes on the page in the browser and intercepts the victim's credentials as they are entered, which can be passed to fraudsters to exploit to drain accounts. The script is fairly smart: it communicates with a remote command-and-control (C2) server, and removes itself from the DOM tree – deletes itself from the login page, basically – once it's done its thing, which makes it tricky to detect and analyze. 

The malware can perform a series of nefarious actions, and these are based on a "mlink" flag the C2 sends. In total, there are nine different actions that the malware can perform depending on the "mlink" value. These include injecting a prompt for the user's phone number or two-factor authentication token, which the miscreants can use with the intercepted username and password to access the victim's bank account and steal their cash. 

The script can also inject an error message on the login page that says the banking services are unavailable for 12 hours. "This tactic aims to discourage the victim from attempting to access their account, providing the threat actor with an opportunity to perform uninterrupted actions," Langus said. Other actions include injecting a page loading overlay as well as scrubbing any injected content from the page.  

"This sophisticated threat showcases advanced capabilities, particularly in executing man-in-the-browser attacks with its dynamic communication, web injection methods and the ability to adapt based on server instructions and current page state," Langus warned. "The malware represents a significant danger to the security of financial institutions and their customers." Cybercriminals are exploiting sophisticated web injection techniques to compromise over 50,000 banks throughout the world as a threat escalating. 

DanaBot or similar malware entails the manipulation of user data through JavaScript injections, which allows them to steal login credentials with ease. In this dynamic attack detected by IBM Security, malicious scripts are injected directly into banking pages, evading conventional detection methods, and resulting in a dynamic attack. 

As a way to prevent malware infections, users are recommended to keep their software up-to-date, enable multi-factor authentication, and exercise caution when opening emails to prevent malware infections. To ensure that we are protected from the evolving and adaptive nature of advanced cyber threats, we must maintain enhanced vigilance in identifying and reporting suspicious activities.
Read more »
Technology
Artificial Intelligence Brain-Like Chip ChatGPT CyberCrime Cybersecurity IBM Technology

Innovative 'Brain-Like' Chip Could Transform AI Landscape with Eco-Friendly Promise

 


Using a prototype chip that looks like a brain, IBM, one of the world's most respected technology giants, says it may be possible to increase the efficiency of artificial intelligence (AI) by enhancing energy efficiency. The advancement addresses the challenges related to the emissions emission associated with artificial intelligence systems that require expansive buildings to store electricity. 

In the realm of artificial intelligence (AI), IBM claims that its prototype chip, which makes AI more efficient, is likely to revolutionize things. There are several components found in IBM's chip, including ones that are designed in a similar way to the connections found in the brain, which results in a more energy-efficient chip and a shorter battery life for Artificial Intelligence systems. 

According to Thanos Vasilopoulos, who is a scientist stationed at IBM's research lab in Zurich, Switzerland, the brain's ability to carry out intense tasks at a low energy consumption is partly responsible for the exceptional energy efficiency of computer systems. According to Apple, this technological breakthrough could lead to the development of more efficient smartphone AI chips. By doing so, large and complex workloads can be executed in environments that are low-power or battery-constrained, such as cars, mobile phones, and video cameras, using AI technology. 

Several components in IBM's chip differ from digital chips popular in the past, with which information is stored as 0s and 1s, as opposed to memristors which are analog components that can store a wide range of numbers in an analog format. By using memristors, the chip is capable of mimicking the way synapses in the brain work, which allows it to "remember" how it got its electricity from year to year. A brain-like technology could provide the building blocks for the development of networks that are similar to biological brains by using this type of technology. 

Analog to Digital Conversion


A major flaw of most chips is that they are primarily digital, meaning they store data as 0s and 1s, whereas the new chips are analog, meaning they can keep a range of numbers using components called memristors. 

A digital switch is an electrical switch that can be compared to an analog switch, which is an electrical switch that sees a different light when you flip the switch. The nature of the human brain is analog, and the structure of memristors is similar to that of synapses in the brain, which are analogous to each other. 

Ferrante Neri, a professor of physics at the University of Surrey, explains that the use of memristors falls into the special category of what could be called nature-inspired computing, as it mimics the functions of the human brain. Memory cells play an important role in storing information about the electrical history of a biological system, in the same way, that a synapse in a biological system can store information about the electrical history of that system. 

The memristor, similar to a synapse in a biological system, comes with the ability to "remember" its electrical history within the circuit board. Essentially, he said, there could be a system of memristors that would look like a biological brain if the devices were interconnected. 

Despite this, he cautioned that developing a computer with memristor technology is not a simple proposition and that there will be several challenges ahead before memristor technology becomes widely adopted, such as dealing with manufacturing difficulties and rising costs of materials. 

Improved Energy Efficiency 


Using these components makes it possible for the new chip to run more efficiently and be more energy efficient while also having some digital components. It makes the chip easier to integrate into a system that already uses artificial intelligence. Nowadays, many phones come with onboard AI chips for them to be able to perform tasks such as processing photos. Taking the iPhone for instance, it has a chip with a neural engine that makes it make intelligent decisions.

IBM hopes to improve the efficiency of the chips in phones and cars so they can have a longer battery life and be capable of supporting new applications in the future. Eventually, it is possible that chips such as IBM's prototype could save a great deal of electricity if they were replaced with chips that are currently being used in the banks of computers that operate powerful artificial intelligence programs. 

James Davenport, an IT professor at the University of Bath, has said the findings from IBM are "potentially interesting"; however, he cautions that the chip is not immediately effective as a solution, but rather only acts as a "possible first step" in solving the problem. 

In a similar way to how the brain stores information on synapses in a wide range of peripheral nerve cells, this analog marvel uses memristors to store an immense amount of data. This chip due to its low-power and analog nature is not only more energy efficient than other chips on the market, but it also makes it possible for AI to be integrated into low-power environments such as mobile phones and vehicles.

It is important to note that while there are still challenges ahead, researchers have marked a significant step forward toward a more efficient and greener future of artificial intelligence. Despite not being a solution to the problem of AI energy consumption, it is a vital first step that could be taken to address the ever-evolving challenges associated with it. 

In the future, users will be interested to see how this 'Brain-Like' chip will impact AI ecosystems and sustainability, as it is fascinating to see how it unfolds even at this early stage of development.
Read more »
Ransomware
Cobalt Strike Cyber Attacks Cyberfrauds Cybersecurity Domino IBM malware Ransomware

Domino Backdoor Malware Created by FIN7 and Ex-Conti

 


Members of the now-defunct Conti ransomware gang have been using a new strain of malware developed by threat actors likely affiliated with the FIN7 hacking group. This suggests that the two teams collaborated in the malware development, indicating a cooperative effort. 

In the past month, IBM discovered an innovative malware family known as "Domino," which was developed by ITG14, aka FIN7, one of the most notorious cybercrime groups in the world. A lesser-known information stealer that has been advertised for sale on the dark web since December 2021 is included in Domino, which facilitates further exploitation of compromised systems.

Research by the X-Force team revealed that in May, when the Conti gang was disbanded, Conti threat actors began using Domino. This was about four months after FIN7 started using Domino in October last year.  

The newly discovered Trojan horse, "Domino," has been used by a Trickbot/Contini gang, ITG23, since February 2023, according to X-Force. 

Domino's code overlaps Lizar malware, previously linked to the FIN7 group, which IBM has discovered, according to an IBM research report. There are also similarities between malware families in terms of their functionality, configuration structure, and formats used for handling bots. 

In some recent campaigns, IBM's security researchers reported that Lizar, also known as Tirion and Dice Loader, may have been used instead of Lizar for attacks between March 2020 and late 2022. 

According to IBM researchers, there have been attacks using a malware loader, known as Dave Loader, which was previously used by Conti ransomware and TrickBot members in the fall of 2022. 

In attacks against the Royal and Play ransomware operations carried out by ex-Conti members, it was observed that this loader was deploying Cobalt Strike beacons that used a '206546002' watermark. 

Former members of ITG23 could be behind the recent cyberattacks that are believed to have been carried out using the Dave Loader to inject the Domino Backdoor. 

ITG14, also known as FIN7, is a prolific Russian-speaking cybercriminal syndicate that is known for employing a variety of custom malware to deploy additional payloads to increase their monetization methods and enlarge their distribution channels. 

There is a 64-bit DLL called Domino Backdoor, which will enumerate system information, such as the names and statuses of processes, usernames, and computers, and send that information back to the attacker's Command & Control server, where it can be analyzed. Backdoors receive commands to be executed, and they can also be delivered in the future. 

An observation was made that the backdoor had downloaded an additional loader, Domino Loader, that installed an embedded information-stealer calling itself 'Nemesis Project.' Additionally, it could plant a Cobalt Strike beacon to ensure the backdoor was not identified as a backdoor. 

A Conti loader called "Dave" was used by the threat actors during the campaign to drop FIN7's Domino backdoor on the endpoints. The backdoor was able to gather basic information about the system at hand and send it to a command and control server (C2). 

Upon being hacked, the C2 returned to the compromised system a payload that was encrypted with AES. It was found in many cases that the encrypted payload was another loader with several code similarities to the initial backdoor used by Domino. On the compromised system, either the Cobalt Strike info stealer or the Project Nemesis info stealer was installed by the Domino loader to complete the attack chain. 

The majority of threat actors, especially those who use ransomware to spread malware and gain access to corporate networks, partner with other threat groups to distribute malware. There is now little distinction between malware developers and ransomware gangs as the lines between them have gotten blurry over the years, making it difficult to distinguish between them. 

It was only a matter of time before the lines between TrickBot and BazarBackdoor became blurred as the Conti cybercrime syndicate, based in Rome, assumed control over both sites' development for its exploitation. 

According to Microsoft, a threat actor called DEV-0569 published intrusions committed in November 2022 that incorporated BATLOADER malware for delivering Vidar, and Cobalt Strike ransomware, and the latter eventually enabled the human-operated ransomware attacks that distributed Royal in December 2022. 

As the world of cybersecurity becomes increasingly shady, things are getting a bit murky. The issue of distinguishing malware developers from ransomware gangs is becoming increasingly difficult as time goes by.
Read more »
Vulnerability
Aspera Faspex Cybersecurity IBM Patching Vulnerability

The Urgent Need to Address the Critical Bug in IBM's Aspera Faspex

IBM's widely used Aspera Faspex has been found to have a critical vulnerability with a 9.8 CVSS rating, which could have serious consequences for organizations using the software. This blog will discuss the vulnerability in detail and the importance of taking prompt action to mitigate the risk.

Aspera Faspex vulnerability

IBM Vulnerability | An Overview

IBM's widely used Aspera Faspex file transfer system has a serious problem. A critical bug that could allow hackers to run any code they want is being used by cybercriminals, including ransomware groups. Even though IBM has released a patch to fix the issue, many organizations have failed to install it. 

Researchers are warning that this vulnerability is being exploited, and one of their customers was recently hacked due to this problem. It's important to take immediate action to fix this vulnerability to avoid being targeted by hackers.

What is Aspera Faspex?

Aspera Faspex is a software application that provides secure file transfer capabilities to businesses and organizations. It is widely used across various industries, including media and entertainment, healthcare, finance, and government agencies.

Understanding the Vulnerability

The vulnerability (CVE-2022-5859) in Aspera Faspex version 4.1.3 and earlier versions arises from insufficient validation of user-supplied input in the software. Attackers could exploit this vulnerability by sending specially crafted data to the application, leading to arbitrary code execution. This could enable attackers to bypass authentication and execute code on the vulnerable system, which could result in significant data breaches and other security incidents.

The Impact of the Vulnerability

The vulnerability in Aspera Faspex is considered critical, with a CVSS rating of 9.8 out of 10. This means that it is highly exploitable and could have severe consequences for organizations using the software. Attackers could gain unauthorized access to sensitive data, execute malicious code, and cause significant disruptions to business operations.

The Importance of Timely Patching

IBM has recommended that organizations using the affected version of the software should upgrade to a patched version as soon as possible to address the vulnerability. Timely patching is critical in mitigating the risk of cyberattacks and data breaches. Organizations that delay patching are putting themselves at increased risk of cyberattacks and other security incidents.

The Role of Security Hygiene

In addition to timely patching, implementing robust security measures is crucial in preventing cyberattacks and minimizing the impact of security incidents. IBM has emphasized the importance of following standard security practices, including network segmentation and monitoring for unusual behavior. These security measures can help organizations detect and respond to security incidents in a timely manner.

The Significance of the Aspera Faspex Vulnerability

The Aspera Faspex vulnerability is a reminder of the importance of prioritizing security in any organization. With the evolving security landscape, organizations must remain vigilant and continuously update their security measures to mitigate the risk of cyberattacks and other security incidents. Failure to take prompt action in addressing vulnerabilities could have severe consequences for organizations, including financial losses, reputational damage, and legal implications.

Read more »
Zero- day vulnerability
Data Breach domains IBM Jenkins servers Malicious actor TTPs Zero- day vulnerability

Malicious Actor Claims Targeting IBM & Stanford University

 

Jenkins was mentioned as one of the TTPs employed by spyware in a report on a British cybercrime forum found by CloudSEK's contextual AI digital risk platform XVigil. To boost ad clickthroughs, this module features stealth desktop takeover capabilities. Based on unofficial talks, CloudSEK experts anticipate that this harmful effort will increase attempts to infect bots. 

Evaluation of threats 

A malicious actor detailed how they hacked into a major organization by taking advantage of a flaw in the Jenkins dashboard in a post on a cybercrime site on May 7, 2022. 

Previously, the same threat actor was observed giving access to IBM. In addition, the actor provided evidence of a sample screenshot showing their alleged connection to a Jenkins dashboard. 

The malicious actors came upon a Jenkins dashboard bypass that had internal hosts, scripts, database logins, and credentials. They exploited the company's public asset port 9443 by using search engines like Shodan as per researchers. 

After receiving data, the actor employed a custom debugging script to find vulnerable targets for bypassing rproxy misconfiguration. 

Origin of the threat actor

The hacker claimed they previously targeted IBM Tech Company as well, in particular internal administrators' scripts and firewall configurations for internal networks, in other posts by the same person on the cybercrime site.

The actor also stated the following exploit narrative as to how to get into Stanford University in their future posts: 
  • The actor counted all the subdomains connected to the University using the Sudomy tool. 
  • The actor then applied a path, such as -path /wp-content/plugins/, to the domains using httpx. 
  • An attacker can execute RCE on the plugin by returning data from all of the subdomains that have a valid path with the susceptible zero-day vulnerability. 

According to CloudSEK, which reported the threats, other entities could execute similar exploits using the threat actor's TTP. "Modules like these can facilitate complex ransomware assaults and persistence," the security experts said while adding that threat actors "could migrate laterally, infecting the network, to retain persistence and steal credentials." 

Actors may utilize revealed credentials to access the user's other accounts because password reuse is standard practice. For reference, the malicious actors also took credit for hacking Stanford University and Jozef Safarik University in Slovakia. 

According to reports from XVigil, official access to the domains was reportedly found in several nations, including Ukraine, Pakistan, United Arab Emirates, and Nepal. 
Read more »
Vulnerabilities and Exploits
CISA CVE CVS Encryption IBM Unauthorized Websites Vulnerabilities and Exploits

Carrier's Industrial Access Control System has Critical Flaws

 

Carrier's LenelS2 HID Mercury access control system, which is widely used in healthcare, academic, transport, and federal buildings have eight zero-day vulnerabilities.

In a report shared by The Hacker News, Trellix security experts Steve Povolny and Sam Quinn wrote, "The vulnerabilities found to enable us to demonstrate the ability to remotely open and lock doors, manipulate alarms, and degrade logging and notification systems." 

The investigation begins at the hardware level; Researchers were able to change onboard components and connect with the device by using the manufacturer's built-in ports. 

They were able to gain root access to the device's operating system and extract its firmware for virtualization and vulnerability or other exploits using a combination of known and unique techniques. One of the issues (CVE-2022-31481) contains an unauthorized remote execution weakness with a CVSS severity rating of 10 out of 10. The following is the detailed list of flaws: 
  • Unauthenticated command injection vulnerability CVE-2022-31479. 
  • Unauthenticated denial-of-service vulnerability CVE-2022-31480.
  • CVSS 10 rated RCE vulnerability is CVE-2022-31481. 
  • Unauthenticated denial-of-service vulnerability CVE-2022-31482. 
  • An authenticated arbitrary file write vulnerability, CVE-2022-31483. 
  • Unauthenticated user modification vulnerability CVE-2022-31484.
  • Unauthenticated information spoofing vulnerability CVE-2022-31485. 
  • An authenticated command injection vulnerability, CVE-2022-31486 

Carrier has issued an alert in response to the revelation, which includes further details, mitigations, and firmware patches that consumers should apply right now. 

In locations where physical access to privileged facilities is required, LenelS2 is used to connect with more complicated building automation implementations. The following LenelS2 HID Mercury access or unauthorized access panels are affected: 
  • LNL-X2210 
  • LNL-X2220 
  • LNL-X3300 
  • LNL-X4420
  • LNL-4420 
  • S2-LP-1501 
  • S2-LP-1502 
  • S2-LP-2500, as well as 
  • S2-LP-4502 

According to a study conducted by IBM in 2021, the average cost of a physical data breach is 3.54 million dollars, with a detection time of 223 days. 

For companies that rely on access control systems to protect the security and safety of its facilities, the stakes are high. "ICS security presents unique issues," according to the US Cybersecurity and Infrastructure Security Agency (CISA). 

The increasing convergence of information technology (IT) and operational technology (OT) presents chances for exploitation that could result in catastrophic repercussions, including loss of life, economic damage, and disruption of society's National Critical Functions (NCFs)."

Consumers should be aware that while the vulnerabilities revealed recently may appear to have minimal impact created by hackers, critical infrastructure assaults have a significant impact on our everyday lives.
Read more »
Security
Algorithm IBM malware Prometheus Ransomware Security

Prometheus Ransomware's Bugs Inspired Researchers to Try to Build a Near-universal Decryption Tool

 

Prometheus, a ransomware variant based on Thanos that locked up victims' computers in the summer of 2021, contained a major "vulnerability" that prompted IBM security researchers to attempt to create a one-size-fits-all ransomware decryptor that could work against numerous ransomware variants, including Prometheus, AtomSilo, LockFile, Bandana, Chaos, and PartyTicket. 

Despite the fact that the IBM researchers were able to erase the work of many ransomware versions, the panacea decryptor never materialised. According to Andy Piazza, IBM worldwide head of threat intelligence, the team's efforts indicated that while some ransomware families may be reverse-engineered to produce a decryption tool, no organisation should rely on decryption alone as a response to a ransomware assault. 

“Hope is not a strategy,” Piazza said at RSA Conference 2022, held in San Francisco in person for the first time in two years. 

Aaron Gdanski, who was assisted by security researcher Anne Jobman, stated he became interested in developing a Prometheus decryption tool when one of IBM Security's clients got infected with the ransomware. He started by attempting to comprehend the ransomware's behaviour: Did it persist in the environment? Did it upload any files? And, more particularly, how did it produce the keys required to encrypt files? 

Gdanski discovered that Prometheus' encryption process relied on both "a hardcoded initialization vector that did not vary between samples" and the computer's uptime by using the DS-5 debugger and disassembler. Gdanski also discovered that Prometheus generated its seeds using a random number generator that defaulted to Environment.

“If I could obtain the seed at the time of encryption, I could use the same algorithm Prometheus did to regenerate the key it uses,” Gdanski stated. 

Gdanski had a starting point to focus his investigation after obtaining the startup time on an afflicted system and the recorded timestamp on an encrypted file. Gdanski developed a seed from Prometheus after some further computations and tested it on sections of encrypted data. Gdanski's efforts were rewarded with some fine-tuning. Gdanski also discovered that the seed changed based on when a file was encrypted. That meant that a single decryption key would not work, but he was able to gradually generate a series of seeds that could be used for decryption by sorting the encrypted files by the last write time on the system. 

Gdanski believes the result might be applied to other ransomware families that rely on similar flawed random number generators. “Any time a non-cryptographically secure random number generator is used, you’re probably able to recreate a key,” Gdanski stated. 

However, Gdanski stressed that this problem is unusual in his experience. As Piazza emphasised, the best protection against ransomware isn't hoping that the ransomware used in an assault is badly executed, it’s preventing a ransomware attack before it happens.
Read more »
VMware
Cyberattack data wipers Google Honeypot Installation IBM Malicious actor malware python RaaS Ransomware Attacks. VMware

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.
Read more »
Trojan
Cyber Security IBM ITG18 Operational Security Research Trojan

Researchers Learn from ITG18 Group's OpSec Mistakes

 

A team of IBM X-Force security experts analyzed attackers' operational security mistakes to disclose the core details of how the group functions and launches attacks in their analysis of a group known as ITG18, also identified as Charming Kitten and Phosphorous. 

ITG18 has a history of targeting high-profile victims, journalists, nuclear experts, and persons working on the COVID-19 vaccine research. It is linked to Iranian government operations. It was related to an assault in late 2019. 

Richard Emerson, senior threat hunt analyst with IBM X-Force stated, "How we define this group is they're primarily focused on phishing and targeting personal accounts, although there's evidence that they may also go after corporate accounts as well." Based on the amount of infrastructure it has registered, researchers believe it to be a "rather sizable organization" - Emerson adds that they have over 2,000 indicators connected to this group alone during the last couple of years. 

According to Allison Wikoff, a senior strategic cyber-threat analyst at IBM X-Force, the team achieved "a major breakthrough" in studying ITG18 behavior while examining an attack on executives at a COVID-19 research center. 

Researchers collected indicators that are linked with attackers' activities on a regular basis; when investigating ITG18's activity, the team discovered flaws in the attackers' infrastructure, resulting in a plethora of fresh information. 

"When we saw this open server, we collected videos and exfiltrated information. Over the course of the last 18 months, we've continually seen the same errors from this group," she added. 

Researchers discovered training videos used by the group among the data they gathered. These details include how the organization maintains access to hacked email accounts, how attackers exfiltrate data, and how they build on compromises with stolen data. The videos gave investigators a better understanding of the procedures, yet the mistakes persisted. 

ITG18 has a habit of misconfiguring its servers to leave listable folders, according to Emerson. Anyone with access to the IP address or domain can read the files without requiring authentication. The group keeps their stolen data on numerous of these servers, where anybody might find massive, archived files ranging from 1GB to 100–150GB — all of which could be related to a single targeted individual. Researchers have also discovered ITG18 storing tools on these misconfigured servers, some of which are genuine and others which are custom. 

According to Emerson and Wikoff, the group's new Android remote access Trojan is used to infect the targets they track on a regular basis. The code was dubbed "LittleLooter."  

ITG18's blunders have benefited Emerson and Wikoff in painting a more comprehensive view of how the organization functions and speculating on what its future activities would entail. Wikoff points out that the assaults aren't particularly complex, and that the study shows they aren't likely to evolve. 

"The interesting thing about this particular group is that the tactics haven't really changed all that much in the four to five years [we] have been laser-focused on it," she added. 

Others have previously reported on ITG18's misconfigured servers, so the attackers are likely aware of the problem but haven't rectified it. It appears that the group either does not want to fix the error, does not want to modify their operating tempo, or that another factor is at play. 

While many defensive suggestions aren't specific to ITG18, multifactor authentication is a significant deterrent for these attackers, Wikoff points out that this group is complicated because they primarily target personal resources. 

Even though companies control their workers' personal information, these attacks may compromise corporate security. Emerson advised that businesses should examine how they would respond if an employee is harmed in one of these assaults and how they can teach staff to be aware of the dangers they face.
Read more »
Subscribe to: Posts (Atom)