175702837
submission
storagedude writes:
LockBit was the most active ransomware group until a massive global law enforcement action resulted in takedowns, arrests and source code and decryption key leaks.
Now the group plans a comeback, according to a Cyber Express article that cited Cyble threat researchers, with the launch of LockBit 4.0 coming in February.
“Want a lamborghini, ferrari and lots of girls?” LockBit’s announcement said. “Sign up and start your pentester billionaire journey in 5 minutes with us.”
Cyble researchers noted that “it is uncertain whether LockBit will regain traction, as the group has faced declining credibility amidst competition from other RaaS groups, such as RansomHub, which currently dominate the ransomware landscape.”
175432975
submission
storagedude writes:
Russian efforts to influence the U.S. election were brazen in 2024, and kicked into overdrive in the final days of the campaign. Given the myriad ways information is reported and amplified, it's difficult to establish a direct effect, but the data suggests a possible effect in Michigan, Wisconsin and some down-ballot races, according to an article by the Cyber Express.
From the article:
"And one place where anti-Harris actors leaned heavily was the ongoing Israel-Hamas war. Cyble researchers and others noted heavy efforts in recent days to paint Harris as a strong supporter of Israel who’s unlikely to support a ceasefire. That criticism may have caught on, even though Trump will likely be more pro-Israel – in addition to being less pro-Ukraine in its war with Russia.
"That disinformation campaign likely explains this bizarre data point from a Michigan exit poll: 'Former President Donald Trump won nearly 4-in-10 Michigan voters who believe the U.S. support for Israel has been ‘too strong.’
"Disinformation campaigns targeting those favoring an end to Israel’s war in Gaza likely gave Trump more votes in targeted swing states than he may have otherwise received. Was it enough to swing the election? The slice of the Michigan electorate delivered to Trump because of that issue would have amounted to about 10% of the overall vote, but some of those voters may have had other reasons to vote for him. But in a battleground state that Trump is currently leading by 1.4% with 97% of the vote counted, it’s a very interesting data point.
"We’d also note that third-party votes – which may have cost Clinton the 2016 election – weren’t much of a factor in the 2024 presidential vote, with candidates like Green Party nominee Jill Stein generally getting around 0.5%. Only in razor-thin Wisconsin, where the candidates are currently separated by about 30,000 votes with 99% of the vote counted (and where Harris may also have run into trouble over support for Israel), could third-party protest votes have swung the election. Margins are bigger than the third-party vote in other swing states.
"However, third-party votes likely affected some close down-ballot races, most notably Democratic Senator Bob Casey.
"Disinformation, then, by itself may not have swung the election, but the issue of the effect of disinformation surrounding support for Israel deserves further study. As part of the larger machinery of disinformation – campaign distortions, social media, timid corporate media – disinformation campaigns from foreign actors like Russia may serve as a well-targeted amplifier.
"But according to Antibot4Navalny, an activist research group tracking Russian disinformation campaigns, a definitive study would be a difficult undertaking.
'Impact from disinfo is extremely hard to measure, and it definitely takes time and a dedicated, talented team to come to a compelling conclusion,' the group told The Cyber Express. On the scale of a U.S. national election, 'there should be multiple such teams.'"
174760022
submission
storagedude writes:
Researchers have uncovered a network of at least 5,000 fake X accounts that appear to be controlled by AI in a disinformation campaign linked to China, and the activity appears to be heating up as the U.S. election approaches, according to a Cyber Express report.
The network, dubbed “Green Cicada” by the CyberCX researchers who discovered it, “primarily engages with divisive U.S. political issues and may plausibly be staged to interfere in the upcoming presidential election.”
The network “has also amplified hot-button political issues in other democracies,” including Australia, western Europe, India, Japan and other democratic countries.
The network appears to be controlled by a Chinese LLM, and its developers have been steadily improving operations over time, including reducing malformed outputs.
The researchers said their findings "indicate key gaps in X’s willingness and ability to detect inauthentic content. While we have observed X taking sporadic action against Green Cicada Network accounts during our period of monitoring, we have observed a failure to take systemic action against overtly linked accounts.
“We note that X has reversed initiatives put in place by Twitter to combat inauthentic activity, including efforts to detect, label and/or ban inauthentic accounts.”
174685040
submission
storagedude writes:
CrowdStrike’s root cause analysis (RCA) of the massive Windows BSOD outage released today details an extraneous input parameter field that went unnoticed for 5 months until it was called by a July 19 update, resulting in an out-of-bounds memory read error that crashed 8.5 million machines around the globe, according to a Cyber Express article.
One interesting new revelation in the root cause report is that the initial cause of the error occurred back in February when CrowdStrike released sensor version 7.11, which included a new Template Type for Windows interprocess communication (IPC) mechanisms. IPC Template Instances are delivered as Rapid Response Content to sensors via a corresponding Channel File numbered 291.
The new IPC Template Type defined 21 input parameter fields, but the integration code that invoked the Content Interpreter with Channel File 291’s Template Instances supplied only 20 input values to match against. The parameter count mismatch “evaded multiple layers of build validation and testing,” CrowdStrike said in the new 12-page report, due in part to the use of wildcard matching criteria for the 21st input during testing and in the initial IPC Template Instances.
On July 19, two additional IPC Template Instances were deployed, one of which introduced a non-wildcard matching criterion for the 21st input parameter.
“These new Template Instances resulted in a new version of Channel File 291 that would now require the sensor to inspect the 21st input parameter,” CrowdStrike said. “Until this channel file was delivered to sensors, no IPC Template Instances in previous channel versions had made use of the 21st input parameter field. The Content Validator evaluated the new Template Instances, but based its assessment on the expectation that the IPC Template Type would be provided with 21 inputs.
“Sensors that received the new version of Channel File 291 carrying the problematic content were exposed to a latent out-of-bounds read issue in the Content Interpreter. At the next IPC notification from the operating system, the new IPC Template Instances were evaluated, specifying a comparison against the 21st input value. The Content Interpreter expected only 20 values. Therefore, the attempt to access the 21st value produced an out-of-bounds memory read beyond the end of the input data array and resulted in a system crash.”
CrowdStrike pledged a half-dozen changes in the wake of the global outage:
-Validating the number of input fields in the Template Type at sensor compile time
-Correcting for a runtime array bounds check that was missing for Content Interpreter input fields on Channel File 291
-Template Type testing covering a wider variety of matching criteria
-Template Instance validation expanding to include testing within the Content Interpreter
-Staged deployment for template instances, including customer control over rollout
174656432
submission
storagedude writes:
It’s been two weeks since the global CrowdStrike outage crashed 8.5 million Windows machines, and the lawyers have taken over: Shareholders and Delta are suing CrowdStrike, while CrowdStrike is suing — wait for it — parody sites.
One undiscussed underlying cause of the outage and its extensive damage could be the “shareholder first” mentality that has dominated U.S. companies since the Reagan era, writes longtime Slashdot contributor Paul Shread in an article in The Cyber Express.
“The ‘shareholder first’ doctrine means that companies try to get by with minimal investment while pushing employees and productivity as much as possible,” Shread writes. “That creates fragile systems, and an incident like CrowdStrike-Microsoft-Delta shows just how fragile that chain is, when inadequate testing, a rushed update, a fragile operating system and inadequate recovery processes come together to create a $500 million loss. And that’s just one customer; total outage losses have been estimated at $15 billion by cyber insurer Parametrix.
“With the ‘shareholder first’ focus on maximum profitability, marketing gets ahead of the technology and companies overpromise and underdeliver, and lawyers are brought in to make sure the company can retain every advantage.
“So you get onerous terms and conditions like CrowdStrike’s, where damages are limited to refunds and you get curious language like the following that seems incongruent with a company that has carefully built a reputation as a supplier to organizations with high security needs (the caps are CrowdStrike’s):
“’THE OFFERINGS AND CROWDSTRIKE TOOLS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. NEITHER THE OFFERINGS NOR CROWDSTRIKE TOOLS ARE FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, COMMUNICATION SYSTEMS, WEAPONS SYSTEMS, DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR ANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT IN DEATH, SEVERE PHYSICAL INJURY, OR PROPERTY DAMAGE. Customer agrees that it is Customer’s responsibility to ensure safe use of an Offering and the CrowdStrike Tools in such applications and installations.’
“CrowdStrike is hardly the only security vendor with terms like that, but it sure doesn’t give you confidence in the security of our critical infrastructure.
“One top industry official — Alex Stamos, SentinelOne’s new CISO — essentially accused CrowdStrike of negligence in a podcast earlier this week, and competitors like Fortinet and Sophos have been revealing how they handle kernel updates to reassure customers.
“But it’s fair to ask: How secure are our security tools? The answer is murky, in part because there are few industries that suffer from greater ‘information asymmetry’ than cybersecurity, where sellers know much more than buyers about how well these products actually work and there are no standards for efficacy.
“A Picus Security report published this week found that security tools miss an alarming number of attacks. While prevention effectiveness rose from 59% in the 2023 report to 69% in 2024, detection effectiveness, and alert scores in particular, dropped from 16% to 12%. ‘This means we are better at preventing some attacks, we are still struggling to detect them promptly,’ Picus said.”
174461959
submission
storagedude writes:
The trial of eight members of the REvil ransomware group in Russia has been a bizarre display of reduced charges, a ruling that limited evidence, and claims of limited help from the U.S., according to a report by the Cyber Express.
REvil, along with the closely affiliated DarkSide, wreaked havoc on U.S. networks and critical infrastructure in 2021, including attacks on Colonial Pipeline, Kaseya, Apple supplier Quanta, and meat supplier JBS.
Only two of the defendants – alleged REvil leader Daniil Puzyrevsky and Ruslan Khansvoyarov – have been charged with anything resembling a ransomware crime: “creation and distribution of malicious programs by a group of persons by prior conspiracy, causing large-scale damage or committed for selfish purposes,” according to Izvestia.
The other six defendants face charges related to bank card theft.
Investigators found a record on Puzyrevsky’s computer with transactions from his Bitcoin wallet, which included a transfer dated May 9, 2021 for 63.7 BTC ($2.3 million), which was 85% of the ransom paid by Colonial Pipeline and was subsequently seized by the U.S. Justice Department.
One of the more interesting revelations to come from the case involved an attempted bribe of a Tesla engineer that led to an arrest in the case.
In the interrogations of witnesses in the case, Yegor Kryuchkov said that in the summer of 2020, Alexey Skorobogatov, who was close to the leaders of REvil, asked Kryuchkov if he had any friends working in large foreign companies. When Kryuchkov said he had an engineer friend at Tesla, REvil offered him $500,000 to hack the company.
Kryuchkov flew to the U.S. to meet with the engineer to convince him to introduce a malicious program into Tesla’s network, “or simply to open a letter sent to corporate mail with a Trojan virus,” said Izvestia.
Kryuchkov met with the Tesla engineer, who wanted $1 million for his efforts. The engineer alerted U.S. law enforcement, and Kryuchkov was arrested by the FBI. Kryuchkov served 10 months, then was deported to Russia to became a witness in the REvil case. Skorobogatov is not one of the defendants in the trial.
174380097
submission
storagedude writes:
The latest version of Microsoft’s planned Windows Recall feature still contains data privacy and security vulnerabilities, according to a report by the Cyber Express.
Security researcher Kevin Beaumont – whose work started the backlash that resulted in Recall getting delayed last month – said the most recent preview version is still hackable by Alex Hagenah’s “TotalRecall” method “with the smallest of tweaks.”
The Windows screen recording feature could as yet be refined to fix security concerns, but some have spotted it recently in some versions of the Windows 11 24H2 release preview that will be officially released in the fall.
Google, meanwhile, is working on a similar feature, only with greater privacy controls that may be more appealing to data privacy and security advocates, according to an Android Authority report.
174359299
submission
storagedude writes:
Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities — including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc.
E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device."
The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.
The vulnerabilities have been patched, yet the researchers still found 685 Pods “that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases.”
The newly discovered vulnerabilities – one of which (CVE-2024-38366) received a 10 out of 10 criticality score – actually date from a May 2014 CocoaPods migration to a new 'Trunk’ server, which left 1,866 orphaned pods that owners never reclaimed.
While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started.
“Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code,” the E.V.A researchers said.
174055793
submission
storagedude writes:
A security researcher discovered an exploitable timing leak in the Kyber key encapsulation mechanism (KEM) that’s in the process of being adopted by NIST as a post-quantum cryptographic standard, according to a report by The Cyber Express, the news site of threat intelligence vendor Cyble.
Antoon Purnal of PQShield detailed his findings in a blog post, and noted that the problem has been fixed with the help of the Kyber team. The issue was found in the reference implementation of the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) that’s in the process of being adopted as an NIST standard.
The side-channel vulnerability Purnal discovered can occur when a compiler optimizes the code, in the process silently undoing “measures taken by the skilled implementer.”
In Purnal’s analysis, the Clang compiler was found to emit a vulnerable secret-dependent branch in the poly_frommsg function of the ML-KEM reference code needed in both key encapsulation and decapsulation.
While that may be just a very small part of the code, Purnal released a demo on GitHub showing the role of the timing vulnerability in the recovery of an ML-KEM 512 secret key. “The demo terminates successfully in less than 10 minutes on the author’s laptop,” he wrote.
The reference implementation was patched by implementing the conditional move as a function in a separate file. “This change prevents Clang from recognizing the binary nature of the condition flag, and hence from applying the optimization,” he said.
“It’s important to note that this does not rule out the possibility that other libraries, which are based on the reference implementation but do not use the poly_frommsg function verbatim, may be vulnerable – either now or in the future,” he concluded.
174036989
submission
storagedude writes:
The new Windows Recall feature planned for Copilot+ PCs has been criticized by security and privacy experts for recording user activity through frequent screenshots and potentially exposing personal data. Now a security researcher is demonstrating just how insecure Recall is.
Kevin Beaumont used an off-the-shelf infostealer and Microsoft Defender for Endpoint. Defender detected the infostealer, but “by the time the automated remediation kicked in (which took over ten minutes) my Recall data was already long gone,” he said, as reported by The Cyber Express.
“Recall enables threat actors to automate scraping everything you’ve ever looked at within seconds,” he concluded in a blog post on his findings.
Recall hasn’t shipped yet, but Beaumont and others hope Microsoft vastly improves its security before it does. In a long Mastodon thread on Recall’s security issues, Beaumont shared a video of Microsoft engineers easily accessing the Recall database. He called the new Copilot+ feature “the dumbest cybersecurity move in a decade.”
171469492
submission
storagedude writes:
A quantum computer capable of breaking public-key encryption is likely years away. Unfortunately, so are products that support post-quantum cryptography.
That's the conclusion of an eSecurity Planet article by Henry Newman. With the second round of NIST's post-quantum algorithm evaluations — announced last week — expected to take "several years" and the FIPS product validation process backed up, Newman notes that it will be some time before products based on post-quantum standards become available.
"The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market," Newman writes. "It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time.
"I am not sure that NIST is up to the dual challenge of getting the algorithms out and products validated so that vendors can have products that are available before quantum computers can break current technology. There is a race between quantum technology and NIST vetting algorithms, and at the moment the outcome is looking worrisome."
And as encrypted data stolen now can be decrypted later, the potential for “harvest now, decrypt later” (HNDL) attacks "is a quantum computing security problem that’s already here."
170926407
submission
storagedude writes:
If cloud service providers are the only ones who can get security right, will everyone eventually move to the cloud?
That's one of the questions longtime IT systems architect Henry Newman asks in a new article on eSecurity Planet.
"The concept of zero trust has been around since 2010, when Forrester Research analyst John Kindervag created the zero trust security model. Yet two years after the devastating Colonial Pipeline attack and strong advocacy from the U.S. government and others, we are still no closer to seeing zero trust architecture widely adopted," Newman writes. "The only exception, it seems, has been cloud service providers, who boast an enviable record when it comes to cybersecurity, thanks to rigorous security practices like Google's continuous patching."
"As security breaches continue to happen hourly, sooner or later zero trust requirements are going to be forced upon all organizations, given the impact and cost to society. The Biden Administration is already pushing ambitious cybersecurity legislation, but it's unlikely to get very far in the current Congress. I am very surprised that the cyber insurance industry has not required zero trust architecture already, but perhaps the $1.4 billion Merck judgment that went against the industry last week will begin to change that.
"The central question is, can any organization implement a full zero trust stack, buy hardware and software from various vendors and put it together, or will we all have to move to cloud service providers (CSPs) to get zero trust security?
"Old arguments that cloud profit margins will eventually make on-premises IT infrastructure seem like the cheaper alternative failed to anticipate an era when security became so difficult that only cloud service providers could get it right."
Cloud service providers have one key advantage when it comes to security, Newman notes: They control, write and build much of their software and hardware stacks.
Newman concludes: "I am somewhat surprised that cloud service providers don’t tout their security advantages more than they do, and I am equally surprised that the COTs vendors do not band together faster than they have been to work on zero trust. But what surprises me the most is the lack of pressure on everyone to move to zero trust and get a leg or two up on the current attack techniques and make the attack plane much smaller than it is. I am waiting for the insurance companies to mandate zero trust for the organizations they insure. Perhaps with the Merck ruling, cyber insurers finally got the financial incentive to do so."
167137901
submission
storagedude writes:
Ransomware groups have been busy improving their data exfiltration tools, and with good reason: As ransomware decryption fails to work most of the time, victims are more likely to pay a ransom to keep their stolen data from being publicly leaked.
But some security researchers think the trend suggests that ransomware groups may change their tactics entirely and abandon ransomware in favor of a combined approach of data destruction and exfiltration, stealing the data before destroying it and any backups, thus leaving the stolen copy of the data as the only hope for victims to recover their data. After all, if ransomware just destroys data anyway, why waste resources developing it?
“With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavor compared to corrupting files and using the exfiltrated copies as the means of data recovery,” Cyderes researchers wrote after analyzing an attack last month.
“Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data," they added. “Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild. During a recent incident response, however, Cyderes and Stairwell discovered signs that threat actors are actively in the process of staging and developing this capability.”
That incident – involving BlackCat/ALPHV ransomware – turned up an exfiltration tool with hardcoded sftp credentials that was analyzed by Stairwell’s Threat Research Team, which found partially-implemented data destruction functionality.
"The use of data destruction by affiliate-level actors in lieu of RaaS deployment would mark a large shift in the data extortion landscape and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs,” the Stairwell researchers wrote.
165939721
submission
storagedude writes:
Nearly a quarter of healthcare organizations hit by ransomware attacks experienced an increase in patient mortality, according to a new study from Ponemon Institute and Proofpoint.
The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care,” surveyed 641 healthcare IT and security practitioners and found that the most common consequences of cyberattacks are delayed procedures and tests, resulting in poor patient outcomes for 57% of the healthcare providers, followed by increased complications from medical procedures. The type of attack most likely to have a negative impact on patient care is ransomware, leading to procedure or test delays in 64% of the organizations and longer patient stays for 59% of them.
The Ponemon report depends on the accuracy of self-reporting and thus doesn't have the weight of, say, an epidemiological study that looks at hospital mortality baseline data before and after an attack, but the data is similar to what Ponemon has found in the past and there have been a number of reports of patient deaths and other complications from ransomware attacks.
The new report found that 89% of the surveyed organizations have experienced an average of 43 attacks in the past year. The most common types of attacks were cloud compromise, ransomware, supply chain, and business email compromise (BEC)/spoofing/phishing.
The Internet of Medical Things (IoMT) is a top concern for survey participants. Healthcare organizations have an average of more than 26,000 network-connected devices, yet only 51% of the surveyed organizations include them in their cybersecurity strategy.
Healthcare organizations are better at cloud security, with 63% taking steps to prepare for and respond to cloud compromise attacks, and 62% have taken steps to prevent and respond to ransomware — but that still leaves nearly 40% of healthcare organizations more vulnerable than they should be.
Preparedness is even worse for supply chain attacks and BEC, with only 44% and 48% having a documented response to those attacks, respectively.
The high costs of healthcare cyberattacks — an average of $4.4 million — mean that healthcare cybersecurity tools likely have a high ROI, even though roughly half of the survey respondents say they lack sufficient staffing and in-house expertise.
165415205
submission
storagedude writes:
Hackers are stealing cookies from current or recent web sessions to bypass multi-factor authentication (MFA), according to an eSecurity Planet report.
The attack method, reported by Sophos researchers, is already growing in use. The "cookie-stealing cybercrime spectrum" is broad, the researchers wrote, ranging from "entry-level criminals" to advanced adversaries, using various techniques.
Cybercriminals collect cookies or buy stolen credentials "in bulk" on dark web forums. Ransomware groups also harvest cookies and "their activities may not be detected by simple anti-malware defenses because of their abuse of legitimate executables, both already present and brought along as tools," the researchers wrote.
Browsers allow users to maintain authentication, remember passwords and autofill forms. That might seem convenient, but attackers can exploit this functionality to steal credentials and skip the login challenge.
Behind the scenes, browsers use SQLite database files that contain cookies. These cookies are composed of key-value pairs, and the values often contain critical information such as tokens and expiration dates.
Adversaries know the exact name and location of these files for all major browsers such as Chrome, Firefox, and even Brave, on various operating systems. That’s why the attack can be scripted. It’s not uncommon to find such scripts along with other modules in info-stealing and other malware.
For example, the latest version of the Emotet botnet targets cookies and credentials stored by browsers, which include saved credit cards. According to the Sophos researchers, “Google’s Chrome browser uses the same encryption method to store both multi-factor authentication cookies and credit card data.”
To gain initial access, attackers can also perform phishing and spear-phishing campaigns to implant droppers that can deploy cookie-stealer malware stealthily.
The cookies are then used for post-exploitation and lateral movements. Cybercriminals can use them to change passwords and emails associated with user accounts, or trick the victims into downloading additional malware, or even deploy other exploitation tools such as Cobalt Strike and Impacket kit.
Users should not use built-in features to save passwords unless the browser encrypts them with, at least, a master password. It’s recommended that users uncheck the setting called “remember passwords,” and users should probably not allow persistent sessions as well.
Developers can be part of the problem if they don’t secure authentication cookies properly. Such cookies must have a short expiration date. Otherwise, the persistent authentication could turn into a persistent threat. You can have great security processes and still get hacked because the cookies do not have the necessary flags (e.g., HttpOnly, Secure attribute). For example, authentication cookies must be sent using SSL/TLS channels. Otherwise the data could be sent in plain text and attackers would only have to sniff traffic to intercept credentials.
