New PowerDrop malware targets U.S. aerospace defense industry
Researchers from the Adlumin Threat Research group warn that the PowerShell-based malware uses advanced techniques to evade detection, including deception, encoding, and encryption. At this time Adlumin has yet to link the malware to a specific threat actor, but they believe it could be a nation-state actor due to the level of sophistication of the malware and the nature of the targets. The researchers discovered PowerDrop in the network of a domestic aerospace defense contractor in May 2023.
Zipper giant YKK confirms cyberattack targeted U.S. networks
Japanese zipper manufacturer YKK has confirmed that hackers hit its U.S. operations recently, but the company contained the threat before damage was caused. The company, headquartered in Tokyo, would not confirm if ransomware had been involved, but a spokesperson told Recorded Future News that its cybersecurity team “contained the threat before significant damage was done or sensitive information was exfiltrated.” Although no group has been formally identified in this attack, the LockBit ransomware group posted the company on its leak site on June 2, threatening to leak data stolen from YKK by June 16.
Barracuda urges customers to replace vulnerable appliances immediately
Following up on a story we covered last week, enterprise security company Barracuda has now warned its customers against using email security gateway (ESG) appliances that were impacted by a recently disclosed zero-day exploit. They add that these appliances should be replaced immediately. A patch for the vulnerability, active since October 2022, had been issued by Barracuda last month, specifically to stop the exploit from allowing ESG backdooring. The company explained that the vulnerability existed in a module which screens the attachments of incoming emails, but added that no other Barracuda products, including SaaS email security services, were subject to the vulnerability identified.
Easily exploitable Microsoft Visual Studio bug opens developers to takeover
A new bug in Microsoft Visual Studio installer is giving cyberattackers a new way to create and distribute malicious extensions to application developers, while pretending to be a legitimate software publisher. This would of course allow them to infiltrate development environments, for reasons of control, poisoning code, and IP theft. Microsoft has issued a patch for the spoofing vulnerability, tracked as CVE-2023-28299 as part of its April monthly security update. According to Varonis, this bug must be watched, since it is easily exploitable and exists in a product that has 26% market share and more than 30,000 customers.
Thanks to this week’s episode sponsor, Trend Micro
Trend Micro, the global leader in cybersecurity is bringing the cyber risk conversation to more than 120 cities in their “Risk to Resilience World Tour. Hear from experts on the latest threat landscape trends, solutions, and platform strategies to manage risk and defend your organization with speed and accuracy. Find the closest city to you and register today to take a leap towards a more resilient future. Head to trendmicro.com/cisoseries
Scientists claim greater than 99 percent identification rate of ChatGPT content
A team of researchers led by the University of Kansas believe their classifier is moreeffective in identifying ChatGPT because it focuses on the stylistic differences between human and AI writing. They point out that “scientists use a richer vocabulary and write longer paragraphs containing more diverse words than machines. They also use punctuation like question marks, brackets, semicolons more frequently than ChatGPT, except for speech marks used for quotations.” The researchers also point out that material produced by ChatGPT is less precise avoiding specifics in data or references. In addition ChatGPT uses few equivocal terms such as “however”, “but”, “although”, “this”, and “because”. “Since the key goal of this work was a proof-of-concept study, the scope of the work was limited, and follow-up studies are needed to determine the extent of this approach’s applicability,” the researchers wrote in their paper.
Cisco fixes AnyConnect bug giving Windows SYSTEM privileges
Cisco has now fixed a high-severity vulnerability within Cisco Secure Client (formerly AnyConnect Secure Mobility Client) software which could allow attackers to escalate privileges to the SYSTEM account used by the operating system. According to Bleeping Computer, “this software enables employees to work from anywhere via a secure Virtual Private Network (VPN) and provides admins with endpoint management and telemetry features. Low-privileged, local attackers would have been able to exploit this security flaw (tracked as CVE-2023-20178) in low-complexity attacks that don’t require user interaction.” The bug was fixed in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.
New ChatGPT attack technique spreads malicious packages
Information about this discovery, made by Vulcan Cyber’s Voyager18 research team was published in an advisory this week. Based on their proof of concept, researcher Bar Lanyado said the team identified a new malicious package spreading technique they called “AI package hallucination.” The technique, as quoted in InfoSecurity Magazine, “involves posing a question to ChatGPT, requesting a package to solve a coding problem, and receiving multiple package recommendations, including some not published in legitimate repositories.” The researchers state that “by replacing these non-existent packages with their own malicious ones, attackers can deceive future users who rely on ChatGPT’s recommendations.”
(InfoSecurity Magazine and Vulcan Cyber)
German recruiter Pflegia leaks sensitive job seeker info
The research team at Cybernews has discovered an open Amazon Web Services (AWS) cloud instance containing over 360,000 files that it has deduced as belonging to Pflegia, a German healthcare recruitment platform that hires healthcare professionals for hospitals, nursing homes, outpatient services, and intensive care. The exposed AWS bucket held hundreds of files containing sensitive information within user-submitted resumes. This included full names dates of birth, occupation history, home addresses, phone numbers, and email addresses.