Cloud environments are rich with sensitive data and have become a prime target for threat actors. They can be large, and the multiple applications, connections, and configurations can be difficult to understand and monitor. Cloud security failures occur due to manual controls—including settings and access privileges—not being set correctly, and organizations have mistakenly exposed applications, network segments, storage, and APIs to the public. This complexity creates a risk of breach, and victims often do not know that their cloud environments have been breached. According to IBM’s Cost of a Data Breach Report 2023, misconfigured cloud infrastructure resulting in data breaches cost an average of $4 million to resolve. Threat actors typically access and exfiltrate data via exploitable misconfigured systems and involve the loss, theft, or compromise of personally identifiable information (PII), which can be used to conduct subsequent cyberattacks.
Recent incidents of misconfigurations highlight cloud security risks and the need for organizations to secure their cloud environments to help prevent data from being mistakenly exposed. For example, researchers discovered a dual privilege escalation chain impacting Google Kubernetes Engine (GKE) due to specific misconfigurations in GKE’s FluentBit logging agent and Anthos Service Mesh (ASM). The vulnerabilities in the default configuration of FluentBit, which automatically runs on all clusters, and in the default privileges within ASM were identified. When combined, threat actors can escalate privileges with existing Kubernetes cluster access, enabling data theft, deployment of malicious pods, and disruption of cluster operations.
Additionally, a Japanese game developer, Ateam, having multiple games on Google Play, insecurely configured a Google Drive cloud storage instance to “Anyone on the internet with the link can view” since March 2017. The misconfigured instance contained 1,369 files with personal information, including full names, email addresses, phone numbers, customer management numbers, and terminal (device) identification numbers. Search engines could index this information, making it more accessible to threat actors. Furthermore, the TuneFab converter, used to convert copyrighted music from popular streaming platforms such as Spotify and Apple Music, exposed more than 151 million parsed records of users’ private data, such as IP addresses, user IDs, emails, and device info. The exposed data was caused by a MongoDB misconfiguration, resulting in the data becoming passwordless, publicly accessible, and indexed by public IoT search engines.
The NJCCIC has observed increased reports of cryptocurrency scams over the past few weeks, consistent with open-source reporting . The scams begin with a sophisticated phishing attack, often initiated via social media direct messages or posts, and use a crypto wallet-draining technique to target a wide range of blockchain networks. These cryptocurrency stealers are malicious programs or scripts designed to transfer cryptocurrency from victims’ wallets without their consent. Attribution is frequently obfuscated as many of these campaigns are perpetuated by phishing groups that offer wallet-draining scripts in scam-as-a-service operations.
The cybercriminal begins the scam by creating fake AirDrop or phishing campaigns, often promoted on social media or via email, offering free tokens to lure users. The target is directed to a fraudulent website to claim these tokens, which mimics a genuine token distribution platform that requests to connect to their crypto wallet. The target is then enticed to engage with a malicious smart contract , inadvertently granting the cybercriminal access to their funds, which enables token theft without further user interaction. Cybercriminals may use methods like mixers or multiple transfers to obscure their tracks and liquidate the stolen assets. Social engineering tactics in recent campaigns include fake job interviews via LinkedIn, romance scams, and other quick cryptocurrency return promotions offered through various social media platforms.
Image source: ESET H2 Threat Report
According to ESET’s H2 Threat Report, the number of observed cryptocurrency threats decreased by 21 percent in the latter half of 2023; however, a sudden increase in cryptostealer activity was primarily caused by the rise of Lumma Stealer (78.9 percent), a malware-as-a-service (MaaS) infostealer capable of stealing passwords, multi-factor authentication (MFA) data, configuration data, browser cookies, cryptocurrency wallet data, and more. This infostealer was observed spreading via the Discord chat platform and through a recent fake browser update campaign. In this campaign, a compromised website displays a fake notice that a browser update is necessary to access the site. If the update button is clicked, the malicious payload is downloaded, delivering malware such as RedLine, Amadey, or Lumma Stealer to the victim’s machine.
The NJCCIC recommends that users exercise caution when interacting with social media posts, direct messages, texts, or emails that may contain misinformation and refrain from responding to or clicking links delivered in communications from unknown or unverified senders. Additionally, users are strongly encouraged to enable MFA where available, choosing an authentication app such as Google Authenticator or Microsoft Authenticator. In the case of credential exposure or theft, MFA will greatly reduce the risk of account compromise. If theft of funds has occurred, victims are urged to report the activity to the FBI’s IC3 immediately, their local FBI field office, and local law enforcement. These scams can also be reported to the NJCCIC and the FTC. Further information and recommendations can be found in the FTC article, the Cryptonews article, and the LinkedIn article.
NIST Identifies Types of Cyberattacks That Manipulate Behavior of AI Systems Adversaries can deliberately confuse or even “poison” artificial intelligence (AI) systems to make them malfunction — and there’s no foolproof defense that their developers can employ. Computer scientists from the National Institute of Standards and Technology (NIST) and their collaborators identify these and other vulnerabilities of AI and machine learning (ML) in a new publication. Their work, titled Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST.AI.100-2), is part of NIST’s broader effort to support the development of trustworthy AI, and it can help put NIST’s AI Risk Management Framework into practice. The publication, a collaboration among government, academia and industry, is intended to help AI developers and users get a handle on the types of attacks they might expect along with approaches to mitigate them — with the understanding that there is no silver bullet. Read More
Don’t miss your chance to attend the inaugural Global Nonprofit Leaders Summit in Bellevue, Washington, January 31 – February 1.
This event is your opportunity to set a course for AI innovation in 2024. You’ll connect with over 1,000 nonprofit professionals from across the globe. Together, you’ll learn how to spark nonprofit transformation in the era of AI with skilling to get started, vital discussions on AI including use cases and challenges, and lessons from other nonprofit leaders who are leveraging AI in big and small ways.
Learn from experts in digital transformation, digital inclusion, and AI, including:
Brad Smith, Microsoft Vice Chair and President
Trevor Noah, Comedian, TV Host, Author
Dr. Fei-Fei Li, Co-Director of Stanford’s Human-Centered AI Institute
Afua Bruce, Author of “The Tech that Comes Next”
Ryan Roslansky, CEO, LinkedIn
Beth Kanter, Trainer, Facilitator, Author at BethKanter.org
Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event: January 8, 2024 | 12:00 PM – 3:45 PM | (GMT-05:00) Eastern Time (US & Canada) January 9, 2024 | 12:00 PM – 2:15 PM | (GMT-05:00) Eastern Time (US & Canada)
Delivery Language: English Closed Captioning Language(s): English
#Empower2024: AI, Your CopilotJanuary 31, 10:30 a.m. – 4:30 p.m. ET Designed for nonprofits, this 1-day virtual conference with ProServe IT will tell you what you need to know to harness the power of artificial intelligence. Learn how AI and Microsoft Copilot can boost your productivity and drive results for your mission. Join any of the 30-minute sessions throughout the day, depending on your interest, and learn what you can do to get ready for this innovative technology in a new era of work. Register now
For more information about this publication and to provide comments, visit the website page. If you have questions, email us at privacyeng@nist.gov.
Best, NIST Privacy Engineering Program NIST Cybersecurity and Privacy Program Questions/Comments about this notice: privacyeng@nist.gov. CSRC Website questions: csrc-inquiry@nist.gov
The complex formulas in physics, math and engineering papers might be intimidatingly difficult reading matter for some, but there are many people who have trouble merely seeing them in the first place. The National Institute of Standards and Technology (NIST) has created a tool that makes these papers easier on the eyes for those with visual disabilities, and it’s about to be adopted in a major way. The tool, which converts one commonly used format for displaying math formulas into another, could help make the latest and greatest research papers accessible to all. Most new research papers are distributed as PDF files, which many people in the research community have difficulty reading. Read More
We’re ringing in the New Year by giving you a sneak peek into what the NIST Small Business Cybersecurity Program has planned for 2024. During this webinar, we’ll:
Introduce you to the new NIST Lead for Small Business Engagement.
Provide an overview of upcoming small business cybersecurity events.
Launch our two new NIST Small Business Cybersecurity Community of Interest (COI) sub-groups:
COI for Small Business Owners/Operators.
COI for Small Business Vendors and Resource Partners.
Throughout 2023, cyberattacks affected organizations, governments, businesses, and private residents in New Jersey, resulting in monetary loss, degradation and interruption of services and resources, reputational damage, exposure of sensitive information, emotional distress, and more. In an era dominated by digital connectivity, the importance of cybersecurity cannot be overstated. Reflecting on the evolving threat landscape is crucial as we approach the end of the year.
Geopolitical Tensions 2023 has been marked by heightened geopolitical unrest. Nation-state threat actors carry out cyberattacks to advance their political and economic interests and influence, threatening critical information, services, and information systems, as well as public health and safety. This year, the Russia-Ukraine war entered its second year and hacktivist groups in support of Russia’s invasion of Ukraine launched distributed denial-of-service (DDOS) attacks across the United States. In the fall, armed conflict broke out between Israel and the Hamas militant group. These events triggered an uptick in cyberattacks against critical infrastructure sectors globally, including the United States, as nation-states sought to destabilize their adversaries.
In November, water and wastewater utilities nationwide were targeted in a series of cyberattacks attributed to CyberAv3ngers, an Iranian-backed advanced persistent threat (APT) group. In these incidents, the threat actors compromised Unitronics programmable logic controllers (PLCs) used mainly in the Water and Wastewater sector but also implemented in other industries, including energy, food and beverage manufacturing, and healthcare. CyberAv3ngers claimed responsibility for over a dozen cyberattacks launched since October 30, stating that they targeted Unitronics as it is Israeli-made and “Every equipment ‘made in Israel” is CyberAv3ngers legal target.’”
The Energy and Defense sectors were also recently impacted when IntelBroker, an initial access broker known for targeting US government agencies , launched a cyberattack against General Electric (GE), which has divisions in power, renewable energy, and aerospace industries. The threat actors exfiltrated sensitive Defense Advanced Research Projects Agency (DARPA) data comprised of classified information, including weapons programs and artificial intelligence (AI) research.
As geopolitical tensions intensify, a notable shift in cyber threat tactics occurs, and cyberattacks attributed to state-aligned APT groups have surged. APT 28, a Russian threat group with ties to the General Staff Main Intelligence Directorate (GRU), leveraged a Microsoft Outlook zero-day identified as CVE-2023-23397 to target critical infrastructure in NATO countries. Additionally, nearly two dozen critical infrastructure organizations across the United States were compromised by threat actors affiliated with the Chinese People’s Liberation Army (PLA) within the past 12 months. Notably, military and communications networks on Guam were targeted in a string of attacks attributed to Volt Typhoon, a Chinese State-sponsored APT group.
Ransomware Evolution Ransomware attacks underwent a notable evolution in 2023, demonstrating a higher level of sophistication and a more calculated approach by cybercriminals. The current ransomware landscape is characterized by highly organized criminal groups that employ sophisticated techniques and tactics. Rather than indiscriminate attacks, threat actors focused on strategic targets, including critical infrastructure networks and high-profile organizations.
The Healthcare and Public Health (HPH) sector has been heavily targeted with ransomware throughout the year. Most recently, Hackensack Meridian Health and Mountainside Hospital in Montclair, both in New Jersey, were impacted after Ardent, a healthcare services provider based in Tennessee, suffered a ransomware attack. Ardent operates roughly 30 hospitals and over 200 facilities across six US states.
Ransomware groups are increasingly leveraging vulnerabilities to gain initial access to targeted networks. Nearly a third of ransomware attacks in the first half of 2023 were launched by exploiting vulnerabilities, and zero-day exploitation has increased globally. The NJCCIC observed patterns in which APT groups rapidly developed and deployed exploits for vulnerabilities, such as Citrix Bleed, to target public and private NJ organizations effectively. Tracked as CVE-2023-4966 , the Citrix Bleed vulnerability allows threat actors to obtain valid session tokens from the memory of internet-facing NetScaler devices, which can be used to hijack active sessions and bypass authentication – even multi-factor authentication (MFA) – to gain unauthorized access, steal data, and launch ransomware attacks. Researchers determined that the vulnerability has been exploited since at least August 2023 and by at least six cyber threat groups.
Earlier this year, the Cl0p ransomware group exploited a SQL injection vulnerability, CVE-2023-34362, found in Progress Software’s MOVEit Transfer file transfer solution, which allowed them to access the underlying database. Organizations impacted by the attacks include governments, financial institutions, educational organizations, medical facilities, and more. The number of victims affected by the MOVEit vulnerability has surged to an estimated 2,120 organizations, which equates to an impact of roughly 62 million individuals as of September.
AI and Machine Learning While neither are new concepts, artificial intelligence (AI) and machine learning (ML) have become household conversation starters in 2023. The introduction of ChatGPT in November 2022 ignited the public’s interest in generative AI tools and AI and ML as a whole. As with many technological advancements, there is the potential for significant benefits to society and the risk of misuse by adversaries.
Regarding cybersecurity, AI and ML offer both offensive and defensive capabilities. Cyber attackers have increasingly harnessed AI and ML techniques to enhance attacks by automating tasks, adapting to evolving defenses, and launching more sophisticated and targeted attacks. Additionally, AI-powered tools can identify vulnerabilities to exploit, automate phishing attacks, and optimize social engineering tactics. However, AI can also be used to better defend and safeguard networks. AI and ML play a vital role in identifying and mitigating cyber threats by detecting anomalous behavior, automatically responding to attacks in real-time, reducing false positives and negatives, and offering greater scalability and cost savings. Generative AI can also assist network defenders in writing rules for security tools to effectively identify and block malicious network traffic. On a broader scale, generative AI can offset resources needed for more mundane tasks, freeing up valuable time for staff to focus on more complex responsibilities.
Nation-states are more likely to widely adopt AI technology to support the advancement of the country’s economic status and influence. Malicious use of AI, such as deep fake technology, will be increasingly embraced by nation-states and non-governmental groups alike. Notable improvements to deep fake technology have increased its believability, making it more difficult for the general public to accurately identify real and synthetic images and videos. This technology will be used in disinformation campaigns by adversaries to sow unrest and undermine governments and organizations.
Over the past month, threat actors increased efforts to target Verizon Wireless cellphone subscribers with social engineering tactics, impersonating Verizon Wireless technical support and fraud agents using spoofed Verizon Wireless phone numbers and SMS text messages. For example, threat actors contact the target and claim that the account has been compromised with attempts to purchase phones. Since the account is supposedly on hold due to the account compromise and failed autopayment, they try to convince the target to make a payment through Zelle that, if paid, results in stolen personal information and funds.
In another campaign, the threat actors informed the target that someone had tried to purchase thousands of dollars worth of Verizon merchandise. They advised them to change their password, which gave the threat actors access to the account, including bank account information for autopay. They also claimed they must migrate the account to another platform and issue a charge. Once the target became suspicious, the threat actors threatened to lock their phones. They were successful; however, the real Verizon Wireless was able to reactivate the phones. In a similar campaign, threat actors claimed the target’s account was locked for security purposes and sent the target a temporary password. They further claim they must migrate the phone service to a new platform and that the account is suspended. The target was requested to resubmit two Zelle payments from their bank account to reinstate it, and the threat actors would transfer it immediately into the target’s account.
Threat actors may also claim there is suspicious activity on the account and that someone is trying to add two phone lines to the account. The threat actors advise the target that they need to transfer the phone lines to another platform and assign a new account number, and the target needs to make a payment in the exact amount of the last Verizon Wireless payment, which would be transferred back to the account. Additionally, they claim Verizon Wireless has a new policy of not utilizing or sharing bank or credit card information, instead advising the target to submit payment through Zelle.
In a separate campaign, threat actors notified the target that the account was flagged for suspicious activity as several iPhones were purchased and shipped to multiple addresses, including the home address on file. The threat actors confirmed the addresses and asked if the target made these purchases, who replied no. They claimed they could not stop the shipment because it had already left the warehouse, and the target would be charged for the phones unless returned. The target further replied no and requested to reroute the one package to the home address. The target then received an SMS text message with an authorization code, which was shared with the threat actors.
