Skip Section Navigation
Global News: Git users urged to update software to prevent remote code execution attacks (5/2023)

May 22, 2023

The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution.

The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.

Global News: Notorious cyber gang FIN7 returns with Cl0p ransomware in new wave of attacks (5/2023)

May 20, 2023

The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021.

Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest.

"In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network," the company's threat intelligence team said. "They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware."

FIN7 (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.

Global News: This cybercrime syndicate pre-infected over 8.9 million Android phones worldwide (5/2023)

May 18, 2023

A cybercrime enterprise known as Lemon Group is leveraging millions of pre-infected Android smartphones worldwide to carry out their malicious operations, posing significant supply chain risks.

"The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud," cybersecurity firm Trend Micro said.

The activity encompasses no fewer than 8.9 million compromised Android devices, particularly budget phones, with the highest concentration of the infections discovered in the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.

The findings were presented by researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, and Paul Pajares at the Black Hat Asia conference held in Singapore last week.

Global News: U.S. offers $10 million bounty for capture of notorious Russian ransomware operator (5/2023)

May 17, 2023

A Russian national has been charged and indicted by the U.S. Department of Justice (DoJ) for launching ransomware attacks against "thousands of victims" in the country and across the world.

Mikhail Pavlovich Matveev (aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar), the 30-year-old individual in question, is alleged to be a "central figure" in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020.

Aditya Paul Joins MIT as a Campbell L. Searle Fellow and a NSF Graduate Research Fellow (5/2023)

May 12, 2023

Congratulations to Center for Information and Cyber Security (CICS) member Aditya Paul who will be pursuing his graduate studies in electrical engineering and computer science at the Massachusetts Institute of Technology as a Campbell L. Searle Fellow and a NSF Graduate Research Fellow! He will be working to engineer the next generation of quantum technologies at one of the world's top research institutes.

Here are some remarks he gave thanking those who contributed to his academic career: "I couldn't have done any of this without the support of my mentors Dr. Crystal Noel, Dr. Jeff Thompson, Colin Smith and Dr. Ram Dantu. They've been invaluable throughout my intellectual journey, and have taught me so much about how to be a good researcher. In addition, I'm indebted to all my friends and family that helped me through this journey."

UNT CSE department awards (5/2023)

May 10, 2023

We want to congratulate both faculty/staff and students who recently received awards from the CSE Department!

Faculty/Staff Awards:

  • Cihan Tunc: CSE Junior Faculty Research Award

Student Awards:

  • Syed Badruddoja (Outstanding PhD Student)
  • Kritagya Upadhyay (Outstanding PhD Student)
  • Tyler Parks (Outstanding Master's Student, MSCS)
  • Thomas McCullough (Outstanding Undergraduate in Computer Science)
  • Leslie Delval Quinonez (Outstanding Undergraduate in Computer Engineering)

Congratulations again to all who received awards. Keep up the good work!

Global News: Hunting Russian Intelligence “Snake” malware (5/2023)

May 9, 2023

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.

We have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, to include the United States and Russia itself. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical in nature. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a North Atlantic Treaty Organization (NATO) country. Within the United States, the FSB has victimized industries including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications.

This Cybersecurity Advisory (CSA) provides background on Snake’s attribution to the FSB and detailed technical descriptions of the implant’s host architecture and network communications. This CSA also addresses a recent Snake variant that has not yet been widely disclosed. The technical information and mitigation recommendations in this CSA are provided to assist network defenders in detecting Snake and associated activity. For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage.

URL: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a

Global News: Amazon Prime Video team throws AWS Serverless under a bus (5/2023)

May 4, 2023

Amazon Prime Video has dumped its AWS distributed serverless architecture and moved to what it describes as a “monolith” for its video quality analysis team in a move that it said has cut its cloud infrastructure costs 90%.

Global News: CISA issues advisory on critical RCE affecting ME RTU Remote Terminal Units (5/2023)

May 3, 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an Industrial Control Systems (ICS) advisory about a critical flaw affecting ME RTU remote terminal units.

The security vulnerability, tracked as CVE-2023-2131, has received the highest severity rating of 10.0 on the CVSS scoring system for its low attack complexity.

"Successful exploitation of this vulnerability could allow remote code execution," CISA said, describing it as a case of command injection affecting versions of INEA ME RTU firmware prior to version 3.36.

Security researcher Floris Hendriks of Radboud University has been credited with reporting the issue to CISA.

Also published by CISA is an alert related to multiple known security holes in Intel(R) processors impacting Factory Automation (FA) products from Mitsubishi Electric that could result in privilege escalation and a denial-of-service (DoS) condition.

Global News: Chinese hackers spotted using Linux variant of PingPull in targeted cyberattacks (4/2023)

April 26, 2023

The Chinese nation-state group dubbed Alloy Taurus is using a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033.

Global News: Security News This Week: Criminals are using tiny devices to hack and steal cars (4/2023)

April 22, 2023

Apple thwarts NSO’s spyware, the rise of a GPT-4 black market, Russia targets Starlink internet connections, and more.

Employees of the US Immigration and Customs Enforcement agency (ICE) abused law enforcement databases to snoop on their romantic partners, neighbors, and business associates, WIRED exclusively revealed this week. New data obtained through record requests show that hundreds of ICE staffers and contractors have faced investigations since 2016 for attempting to access medical, biometric, and location data without permission. The revelations raise further questions about the protections ICE places on people’s sensitive information.

Security researchers at ESET found old enterprise routers are filled with company secrets. After purchasing and analyzing old routers, the firm found many contained login details for company VPNs, hashed root administrator passwords, and details of who the previous owners were. The information would make it easy to impersonate the business that owned the router originally. Sticking with account security: The race to replace all your passwords with passkeys is entering a messy new phase. Adoption of the new technology faces challenges getting off the ground.

The supply chain breach of 3CX, a VoIP provider that was compromised by North Korean hackers, is coming into focus, and the attack appears to be more complex than initially believed. Google-owned security firm Mandiant said 3CX was initially compromised by a supply chain attack before its software was used to further spread malware.

Also this week, it emerged that the notorious LockBit ransomware gang is developing malware that aims to encrypt Macs. To date, most ransomware has focused on machines running Windows or Linux, not devices made by Apple. If LockBit is successful, it could open up a new ransomware frontier—however, at the moment, the ransomware doesn’t appear to work.

With the rise of generative AI models, like ChatGPT and Midjourney, we’ve also looked at how you can guard against AI-powered scams. And a hacker who compromised the Twitter account of right-wing commentator Matt Walsh said they did so because they were “bored.

But that’s not all. Each week, we round up the stories we didn’t report in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.
Criminals Are Using Tiny Devices to Hack and Steal Cars

Car thieves are using a series of small hacking tools—sometimes hidden in Nokia 3310 phones or Bluetooth speakers—to break into and steal vehicles. This week, a report from Motherboard detailed how criminals are using controller area network (CAN) injection attacks to steal cars without having access to their keys. Security researchers say criminals first have to detach a car's headlights and then connect the hacking tool with two cables. Once connected, it can send fake messages to the car that look like they are originating from the car's wireless keys, and allow it to be unlocked and started.

Motherboard reports the hacking devices are being sold online and in Telegram channels for between $2,700 and $19,600, a potentially small price when trying to steal luxury cars. Security researchers at Canis Labs first detailed the issue after one car was stolen using the technique. Advertisements claim the tools can work on vehicles made by Toyota, BMW, and Lexus. The security researchers say encrypting traffic sent in CAN messages would help to stop the attacks.

Apple’s Lockdown Mode Blocked NSO Spyware

In recent years, NSO Group’s Pegasus spyware has been used to target political leaders, activists, and journalists around the world, with experts describing the technology as being as powerful as the capabilities of the most elite hackers. In response to the sophisticated spyware, Apple released Lockdown Mode last year, which adds extra security protections to iPhones and limits how successful spyware could be. Now, new research from the University of Toronto’s Citizen Lab has found that Apple’s security measures are working. Cases reviewed by Citizen Lab showed that iPhones running Lockdown Mode have blocked hacking attempts linked to NSO’s software and sent notifications to the phones’ owners. The research found three new “zero-click” exploits that could impact iOS 15 and iOS 16, which had been targeted at members of Mexico’s civil society. Lockdown mode detected one of these attacks in real time.

Cybercriminals Are Buying and Selling GPT-4 Accounts

Since OpenAI released GPT-4 in March, people have clamored to get their hands on the text-generating system. This, perhaps unsurprisingly, includes cybercriminals. Analysts at security firm Check Point have discovered a burgeoning market for the sale of login details for GPT-4. The company says that since the start of March, it has seen an “increase in discussion and trade of stolen ChatGPT accounts.” This includes criminals swapping premium ChatGPT accounts and brute-forcing their way into accounts by guessing email logins and passwords. The efforts could in theory help people in Russia, Iran, and China to access OpenAI’s system, which is currently blocked in those nations.

How Russia May Be Attacking Starlink

Russia has been trying to control Ukraine's internet access and media since Vladimir Putin launched his full-scale invasion in February 2022. Sensitive US documents leaked on Discord now show that Russian forces have been experimenting with an electronic warfare system, called Tobol, to disrupt internet connections from Elon Musk's Starlink satellite system. According to the The Washington Post, the Russian Tobol system appears to be more advanced than previously thought, although it is not clear if it has actually disrupted internet connections. Analysts initially believed Tobol was designed for defensive purposes but have since concluded it could also be used for offensive purposes, disrupting signals as they are sent from the ground to satellites orbiting the Earth.

UK Online Safety Bill Is an “Unprecedented Threat” To Encryption

For the last four years, politicians in the UK have been drafting laws designed to regulate the internet—first in the guise of an online harms law, which has since morphed into the Online Safety Bill. It's been a particularly messy process—often trying to deal with a dizzying range of online activities—but its impact on end-to-end encryption is alarming technology firms. This week, WhatsApp, Signal, and the companies behind five other encrypted chat apps signed an open letter saying the UK’s plans could effectively ban encryption, which keeps billions of people's conversations private and secure. (Only the sender and receiver can view end-to-end encrypted messages; the companies that own the messengers don't have access). “The Bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws,” the companies say in the letter.

Global News: Supply Chain Attacks and Critical Infrastructure: How CISA helps secure a nation's crown jewels (4/2023)

April 6, 2023

Supply Chain Attacks and Critical Infrastructure: How CISA Helps Secure a Nation's Crown Jewels

Critical infrastructure attacks are a preferred target for cyber criminals. Here's why and what's being done to protect them.

URL: https://thehackernews.com/2023/04/supply-chain-attacks-and-critical.html

Congratulations to CSE students winning the Spirit of Innovation Competition (3/2023)

March 27, 2023

Congratulations to our Ph.D. students in Network Security Lab for winning the Spirit of Innovation Competition. The competition was held in UT Dallas by the USICOC on the 24th of March.  

1st Prize went to Christopher Hickingbottom (Ph.D. student) on Zero-knowledge proofs for smart cities. He turned his Ph.D. work into an innovative product idea.

2nd Prize went to Ishan Ranasinghe Arachchilage (Ph.D. student) and Kapil Panda (TAMS) on Cyber Therapy. They turned the Ph.D. work into an innovative product idea.

3rd prize went to Burak Tufekci on Distributed Protocols for Drone Swarms for Search and Rescue. He turned his CSCE 6585 course project work into an innovative product idea.

The judges included the CEO of Inspira (a cybersecurity company), and senior executives from Pepsi-Cola, leading banks in DFW, and TI.  There were two rounds of competition. The first round was in January, and the second, was in March.  

Congratulations again to all who competed in this competition!

Global News: Additional supply chain vulnerabilities uncovered in AMI MegaRAC BMC software (2/2023)

February 1, 2023

Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after three security vulnerabilities were brought to light in the same product.

Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations.

The issues, collectively tracked as BMC&C, could act as a springboard for cyber attacks, enabling threat actors to obtain remote code execution and unauthorized device access with superuser permissions.

The two new flaws in question are as follows -

  • CVE-2022-26872 (CVSS score: 8.3) - ​​Password reset interception via API
  • CVE-2022-40258 (CVSS score: 5.3) - Weak password hashes for Redfish and API