I'm a newbie to podcasts, but I got hooked recently because I can listen while doing something else.

What are your favorite cybersecurity podcasts? I'm not even sure the best way to link podcasts either, but regardless: the ones I'm liking so far are:

The Cyberwire: https://thecyberwire.com/podcasts

CISO Series: https://cisoseries.com/

Darknet Diaries: https://darknetdiaries.com/

Cybersecurity Today: https://www.itworldcanada.com/podcasts

Smashing Security: https://www.smashingsecurity.com/

Malicious Life: https://malicious.life/

Any more great recommendations? Any drama about the above ones?

Executive summary

In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.

The malware gained access to the healthcare institution systems through an infected USB drive. During the investigation, the Check Point Research (CPR) team discovered newer versions of the malware with similar capabilities to self-propagate through USB drives. In this way, malware infections originating in Southeast Asia spread uncontrollably to different networks around the globe, even if those networks are not the threat actors’ primary targets.

The main payload variant, called WispRider, has undergone significant revisions. In addition to backdoor capabilities and the ability to propagate through USB using the HopperTick launcher, the payload includes additional features, such as a bypass for SmadAV, an anti-virus solution popular in Southeast Asia. The malware also performs DLL-side-loading using components of security software, such as G-DATA Total Security, and of two major gaming companies (Electronic Arts and Riot Games). Check Point Research responsibly notified these companies on the above-mentioned use of their software by the attackers.

The findings in this report, along with corroborating evidence from other industry reports, confirm that Chinese threat actors, including Camaro Dragon, continue to effectively leverage USB devices as an infection vector.

The prevalence and nature of the attacks using self-propagating USB malware demonstrate the need of protecting against those, even for organizations that may not be the direct targets of such campaigns. We found evidence of USB malware infections at least in the following countries: Myanmar, South Korea, Great Britain, India and Russia.

The U.S. Army’s Criminal Investigation Division is urging military personnel to be on the lookout for unsolicited, suspicious smartwatches in the mail, warning that the devices could be rigged with malware.

In an alert issued this week, the army said services members across the military have reported receiving smartwatches unsolicited in the mail and noted that the smartwatches, when used, “have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data.”

“These smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords,” the army warned.

“Malware may be present which accesses both voice and cameras, enabling actors access to conversations and accounts tied to the smartwatches,” it added.

What is unclear, however, is whether this is an attack targeting American military personnel. The smartwatches, the investigation division noted, may also be meant to run illegal brushing scams.

“Brushing is the practice of sending products, often counterfeit, unsolicited to seemingly random individuals via mail in order to allow companies to write positive reviews in the receiver’s name allowing them to compete with established products,” the agency said.

There are presently 201k people monitoring domains in Have I Been Pwned (HIBP). That's massive! That's 201k people that have searched for a domain, left their email address for future notifications when the domain appears in a new breach and successfully verified that they control the domain. But that's only a subset of all the domains searched, which totals 231k. In many instances, multiple people have searched for the same domain (most likely from the same company given they've successfully verified control), and also in many instances, people are obviously searching for and monitoring multiple domains. Companies have different brands, mergers and acquisitions happen and so on and so forth. Larger numbers of domains also means larger numbers of notifications; HIBP has now sent out 2.7M emails to those monitoring domains after a breach has occurred. And the largest number of the lot: all those domains being monitored encompass an eye watering 273M breached email addresses 😲

The point is, just as HIBP itself has escalated into something far bigger than I ever expected, so too has the domain search feature. Today, I'm launching an all new domain search experience and 5 announcements about major changes surrounding it. Let's jump into it!

Announcement #:

• 1: There's an all new domain search dashboard
• 2: From now on, domain verification only needs to happen once
• 3: Domain searches are now entirely "serverless"
• 4: There are lots of little optimisation tweaks
• 5: Searches for small domains will remain free whilst larger domains will soon require a commercial subscription

Cybercrime has become a dominant concern for many businesses, as well as individuals. Cybercriminals will target any business, and any individual if they can realize a profit from their minimal efforts. One of the ways that criminals achieve their goals is through the use of malware that garners a fast profit, such as ransomware. More enterprising criminals will use more persistent malware, which enables them to return to the target for further victimization.

Malware has progressed, revealing some trends that may help cybersecurity professionals in combatting current and future strains.

#1. Malware is becoming increasingly aggressive and evasive

Evasive malware, designed to thwart traditional security technologies like first-generation sandboxes and signature-based gateways, is not new. However, the trend toward more sophisticated, aggressive, and evasive malware will probably emerge as a result of the latest developments in Artificial Intelligence (AI). In the past, evasive maneuvers have made static malware analysis approaches insufficient. Fortunately, AI will also be useful in dynamic analysis. Sadly, this could result in a war of machines, creating service disruptions as the two entities battle for supremacy.

#2. Multi-Factor Authentication (MFA) Attacks

Multi-Factor Authentication has finally gained wider adoption in corporate as well as individual settings. What seemed like a panacea to the brute-force attack problem has been shown to be a bit more vulnerable than originally hoped. For example, if a person’s credentials have been compromised, a technique known as “prompt bombing” can be used to create MFA fatigue, eventually causing a person to accept a login notification just to silence the alerts. Many attacks against MFA involve scanning vulnerable login processes to inject the second-factor codes into websites. While not considered malware in the traditional sense, MFA exploits have the same effect of automating an exploit to gain access to sensitive information.

#3. Targeted attacks will give way to mass exploit customization

Targeted attacks require a substantial amount of manual work on the part of the attackers in order to identify victims and then engineer attacks that can fool the victim, as well as create customized compromises and better pre-attack reconnaissance. While attackers have not yet automated these tasks, it is reasonable to assume that some are attempting to do so. One tell-tale sign of automated reconnaissance is its inability to change its behavior. The best defense against this is for cybersecurity professionals to recognize the patterns that are used to compromise a target and work to mitigate those exposures.

#4. More consumer and enterprise data leaks via cloud apps

As we grow more dependent on cloud services, we introduce new exposures. More attackers are targeting cloud-based information. There also seems to be diminished awareness about the implications of putting personal and commercial data and media in the cloud. Moreover, as cloud data management becomes unwieldy, new security vulnerabilities may become public. Malware that results in cloud breaches could present fertile ground for attackers. Cybersecurity professionals must remember that cloud security is not the responsibility of the cloud provider. Proactive protection, as well as testing, remain vital to keeping cloud data safe.

#5. Your refrigerator is running exploits

Devices that weren’t previously connected to the internet, like home appliances, cars, or photo frames, could become the weakest link in our always-on lifestyles. As everything moves online and adoption grows markedly, there will be attacks through systems we haven’t even considered yet. As more personal devices enter office environments, and as office environments have spread to homes, the Internet of Things (IoT) becomes an even greater attack surface.

The Department of Justice established a cyber-focused section within its National Security Division to combat the full range of digital crimes, a top department official said Tuesday.

The National Security Cyber Section — NatSec Cyber, for short — has been approved by Congress and will elevate cyberthreats to “equal footing” with other major national security issues, including counterterrorism and counterintelligence, Assistant Attorney General for National Security Matt Olsen said in remarks at the Hoover Institution in Washington.

The new section enables the agency to “increase the scale and speed of disruption campaigns and prosecutions of nation-state cyberthreats as well as state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security,” Olsen said.

After years of breakneck growth, China’s security and surveillance industry is now focused on shoring up its vulnerabilities to the United States and other outside actors, worried about risks posed by hackers, advances in artificial intelligence and pressure from rival governments.

The renewed emphasis on self-reliance, combating fraud and hardening systems against hacking was on display at the recent Security China exhibition in Beijing, illustrating just how difficult it will be to get Beijing and Washington to cooperate even as researchers warn that humankind faces common risks from AI. The show took place just days after China’s ruling Communist Party warned officials of the risks posed by artificial intelligence.

Looming over the four-day meet: China’s biggest geopolitical rival, the United States. American-developed AI chatbot ChatGPT was a frequent topic of conversation, as were U.S. efforts to choke off China’s access to cutting-edge technology.

A new policy directive from Maine Information Technology (MaineIT) has put a six-month moratorium on the adoption and use of Generative Artificial Intelligence (AI) technology within all State of Maine agencies due to “significant” cybersecurity risks.

The prohibition on AI will include large language models that generate text such as ChatGPT, as well as software that generates images, music, computer code, voice simulation, and art.

It’s unclear whether and to what extent state employees have been relying on emerging AI tools as part of their jobs. Maine may be the first state in the U.S. to impose such a moratorium.

According to an email to sent on Wednesday to all Executive Branch agencies and employees from Maine’s Acting Chief Information Officer Nick Marquis, MaineIT issued a “cybersecurity directive” prohibiting the use of AI for all state business and on all devices connected to the state’s network for six months, effective immediately.

The BBC CISO says she is a “consummate cynic” about cybersecurity certifications. Helen Rabe believes schemes like the widely recognised ISO 27001 standard are “time consuming” and “cumbersome” to maintain for tech teams, and could be ripe for reform.

Rabe was speaking as part of a panel at the Infosec Europe conference in London, where she joined Munawar Vallji, CISO at rail ticketing platform Trainline, and Dr Emma Philpott, of advisory group the IASME Consortium for a panel on the future of cybersecurity certifications. BBC CISO ‘cynical’ about cybersecurity certifications

Cybersecurity certifications are designed to ensure organisations have an appropriate level of security across their teams. The most common certification is the ISO 27001 from the International Organisation of Standards, which was updated last year and is held by more than 30,000 companies.

While these certifications are not a legal requirement, they can be a contractual stipulation for IT buyers, particularly in public sector organisations. Speaking to Tech Monitor last year, Alan Calder, founder and executive chairman of cyber risk and privacy management company IT Governance, said: “The Department of Work and Pensions, for instance, requires organisations it is contracting to have ISO specification.

Every cybersecurity vendor has a different vision of how generative AI will serve its customers, yet they all share a common direction. Generative AI brings a new focus on data accuracy, precision and real-time insights. DevOps, product engineering and product management are delivering new generative AI-based products in record time, looking to capitalize on the technology’s strengths.

The 5 from the article:

1. Real-time risk assessment and quantification
2. Generative AI will revolutionize extended detection and response (XDR)
3. Improving endpoint resilience, self-healing capability and contextual intelligence
4. Improving existing AI-based automated patch management techniques
5. Managing the use of generative AI tools, including AI-based chatbot services

Complex, well-resourced, and well-organized, Anonymous Sudan looks like a front group for an intelligence service.

Anonymous Sudan's questionable provenance.

Researchers are moved to conclude that Anonymous Sudan is a Russian-run operation, and not the Islamist patriotic hacktivist collective it claims to be,

Is Anonymous Sudan a Russian front group, or a grassroots religious hacktivist group? Researchers at CyberCX have released an intelligence update on Anonymous Sudan after that threat group attacked Australian government organizations. The researchers point out that they assess, with high confidence, that Anonymous Sudan is unlikely to be the simple religious hacktivist group it purports to be, “and that Anonymous Sudan is unlikely to be geographically linked to Sudan.” CyberCX also assesses that the threat group uses a substantial paid proxy infrastructure across various countries to conduct its attacks. “Traffic was highly dispersed, with the common infrastructure across attacks spanning 1720 Autonomous Systems (AS) over 132 countries. Indonesia was the most represented country of origin, followed by Malaysia and the United States,” the researchers explained. That infrastructure probably costs about $2,700 per month. This is an estimate. As CyberCX points out, given the inherently closed nature of the proxy services, “it is difficult to estimate Anonymous Sudan’s likely expenditure on infrastructure.” It’s clear in any case that this supposed backwater organization has suspiciously significant funding and a complex operational style.

The group’s well-organized attacks are not typical of a grassroots organization of religiously motivated hacktivists. “Most authentic grassroots hacktivist organizations observed by CyberCX plan activities in an at least semi-public way, discussing targeting and coordinating operations in forums and group chats. Anonymous Sudan declares specific targets as it attacks, implying it is a closely held operation.” While it’s difficult to determine the group’s geographical location, the timezone during which they’re most active is the UTC-3 region, and that includes both Sudan and Eastern Europe. Anonymous Sudan is actively working with the Russian cyber auxiliary KillNet and its group of Russia-aligned accounts.

Anonymous Sudan primarily writes in English and Russian. Researchers at Trustwave write “There are numerous clues left behind by Anonymous Sudan pointing toward the group being associated in some manner with Killnet. The primary indicator is that Anonymous Sudan’s preferred attack vector is DDoS attacks, the attack type that Killnet has conducted. Other circumstantial evidence pointing toward a Russian connection is that the Anonymous Sudan Telegram posts are mostly in Russian (with some in English), and the targets are all nations that support Ukraine in its fight against Russia.”

Cybersecurity provider Trend Micro Incorporated has been integrating artificial intelligence (AI) into its technologies for a decade, but it hasn’t had the power of generative AI, until now.

Today Trend Micro announced its new Vision One platform, bringing together a series of different cybersecurity capabilities including extended detection and response (XDR), attack surface risk management (ASRM) and zero trust. In many respects, the platform is an evolution of the Trend Micro one platform announced in 2022, with the big new addition being gen AI.

The Trend vision one companion is a gen AI-powered assistant for security operation center (SOC) analysts. The technology enables security teams to use natural language queries to answer questions, assist with threat hunting and accelerate remediation.

“We’ve really tried to think about how we can bring the power of gen AI to the security operation center,” Trend Micro COO Kevin Simzer told VentureBeat. “When you’re in an SOC, It tends to be a bit of a stressful job as they’re inundated with lots of telemetry from all different sources.”

Tesla CEO Elon Musk might have his very own supersecret driver mode that enables hands-free driving in Tesla vehicles.

The hidden feature, aptly named “Elon Mode,” was discovered by a Tesla software hacker known online as @greentheonly. The anonymous hacker has dug deep into the vehicle code for years and uncovered things like how Tesla can lock you out of using your power seats or the center camera in the Model 3 before it was officially activated.

After finding and enabling Elon Mode, greentheonly ventured out to test the system and posted some rough footage of the endeavor. They did not share the literal “Elon Mode” setting on the screen but maintain that it’s real.

The hacker found that the car didn’t require any attention from them while using Tesla’s Full Self-Driving (FSD) software. FSD is Tesla’s vision-based advanced driver-assist system that’s in beta but is currently available to anyone who paid as much as $15,000 for the option. The software was the subject of an internally leaked report last month that indicated FSD has had thousands of customer complaints of sudden braking and abrupt acceleration.

The United Kingdom on Sunday announced a “major expansion” to its Ukraine Cyber Program, which has seen British experts provide remote incident response support to the Ukrainian government following Russian cyberattacks on critical infrastructure.

It follows the British government last year announcing that personnel from cyber and signals intelligence agency GCHQ had been contributing to Ukraine’s defense, including by providing protection against the Industroyer2 malware, alongside delivering hardware and software and limiting “attacker access to vital networks.”

The new funding will also support the provision of “forensic capabilities to enable Ukrainian cyber experts to analyze system compromises, attribute attackers and build better evidence to prosecute these indiscriminate attacks,” said Number 10.

A hacking group that has carried out attacks targeting organizations in Europe, Latin America and Central Asia has been linked to Russia’s military intelligence agency, according to new research.

Microsoft said Wednesday that the group, which it calls Cadet Blizzard, played a significant role at the beginning of Russia’s cyberwar against Ukraine. About a month prior to the invasion, the group deployed WhisperGate malware, which targeted numerous Ukrainian government computers and websites, while Russian tanks and troops were surrounding the Ukrainian borders waiting to start the offense.

Last year, Ukrainian cybersecurity officials along with their allies from the U.K. and the U.S. attributed the WhisperGate attack to units operating under the Russian military intelligence agency known as the GRU, but they did not disclose additional details.

According to Microsoft’s report, Cadet Blizzard operates independently from other GRU-affiliated hacking groups, such as Sandworm. The group is responsible for destructive attacks, cyber espionage, hack-and-leak operations, and defacement attacks — incidents where hackers modify the visual appearance of a website.

Microsoft considers the emergence of a novel GRU-affiliated actor “a notable development in the Russian cyber threat landscape.” According to the researchers, Cadet Blizzard’s cyber operations align with Russia's wider military goals in Ukraine but also pose a danger to NATO countries that provide military aid to Ukraine.

Business email compromises, which supplanted ransomware last year to become the top financially motivated attack vector-threatening organizations, are likely to become harder to track. New investigations by Abnormal Security suggest attackers are using generative AI to create phishing emails, including vendor impersonation attacks of the kind Abnormal flagged earlier this year by the actor dubbed Firebrick Ostricth.

According to Abnormal, by using ChatGPT and other large language models, attackers are able to craft social engineering missives that aren’t festooned with such red flags as formatting issues, atypical syntax, incorrect grammar, punctuation, spelling and email addresses.

The firm used its own AI models to determine that certain emails sent to its customers later identified as phishing attacks were probably AI-generated, according to Dan Shiebler, head of machine learning at Abnormal. “While we are still doing a complete analysis to understand the extent of AI-generated email attacks, Abnormal has seen a definite increase in the number of attacks with AI indicators as a percentage of all attacks, particularly over the past few weeks,” he said.

Pro-Russian hackers are continuing to hit targets in Ukraine amid a counteroffensive aimed at reclaiming territory held by Russian forces in what Ukrainian officials and researchers describe as an intense period of network operations as the conflict heats up.

“The activity is still very high,” said Victor Zhora, a top Ukrainian cybersecurity official told CyberScoop via online chat Thursday.

Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, which is responsible for the defense of Ukrainian government systems, said that pro-Russian hackers are focused on Ukrainian service providers, media and critical infrastructure, as well as collecting data from government networks. Zhora said his team is expecting the pace of pro-Russian operations to pick up.

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP.

Everybody on our Twitter feed seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about. After figuring out why exactly you had to have loads of @ symbols in your username, I began to have a look at how secure it was. If you've followed me on Twitter you'll know I like to post vectors and test the limits of the app I'm using, and today was no exception.

First, I began testing to see if HTML or Markdown was supported. I did a couple of "tweets" to see if you could have code blocks (how cool would that be?) but nothing seemed to work. That is, until @ret2bed pointed out that you could change your preferences to enable HTML! That's right people, a social network that enables you to post HTML - what could possibly go wrong?

I enabled this handy preference and redid my tests. Markdown seemed pretty limited. I was mainly hoping for code blocks but they didn't materialise. I switched to testing HTML and tested for basic stuff like bold tags, which seemed to work on the web but not on mobile. Whilst I was testing, @securitymb gave me a link to their HTML filter source code and he showed me a very interesting vector where they were decoding entities.

In an operation coordinated by Europol and involving nine countries, law enforcement have seized the illegal dark web marketplace “Monopoly Market” and arrested 288 suspects involved in buying or selling drugs on the dark web.

More than EUR 50.8 million (USD 53.4 million) in cash and virtual currencies, 850 kg of drugs, and 117 firearms were seized. The seized drugs include over 258 kg of amphetamines, 43 kg of cocaine, 43 kg of MDMA and over 10 kg of LSD and ecstasy pills.

from 02 May 2023

The newly coined term "Darknet Parliament” has become the latest catchphrase among cybercriminals trying to prove their clout – and security insiders are loving it.

If you’ve never heard of the term before, don’t fret; neither had the rest of the world until Friday, when the notorious pro-Russian hacker group Killnet introduced the phrase in one of its Telegram threat posts.

Soon after, the Twitterverse seemed to come alive with security folk who couldn’t help but wonder about the ‘never-before-heard-of’ moniker for a ‘never-before-heard-of’ hacker government organization.