SAN MATEO, CA, June 10, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
Nearly half of all internet traffic is from bots
At Infosecurity Europe 2024, CEO of Veracity Trust Network Nigel Bridges said that the company observed that nearly 50% of all internet traffic in 2022 resulted from bot activity. Further, 30% of bot activity is malicious. Bridges cautions that AI implementation may further exacerbate this fraudulent traffic and that current bot protection tools are not up to the task. “Current malicious bots bypass cyber protections increasingly easily, partly because bot defense systems tend to work in the server – also known as the ‘edge’ – and not in the browser… Bot protection tools need to work in the browser and assess the minutia of visitor behavior to catch them all,” he said. Cybercriminals and nation-state actors use bots to disrupt, propagate malware, espionage, and for ransomware attacks. Read more.
New Fog ransomware hits educational institutions
A new ransomware operation breaches the networks of educational institutions in the US via compromised VPNs. The ransomware group, called Fog, follows the typical pattern of double extortion and can insert themselves into systems using compromised VPN credentials. According to research from Bleeping Computer, “once they gain access to the internal network, the attackers perform “pass-the-hash” attacks on administrator accounts, which are used to establish RDP connections to Windows servers running Hyper-V.” Once Fog has encrypted a victim’s data, “a ransom note is created and dropped on impacted directories, providing instructions to the victims on paying for a decryption key that will help them get their files back.” A link within the note directs the victim to a Tor dark website with a chat box for negotiations. Read more.
Russian influence campaign sights set on Olympic Games
A pair of Russian online influence operations are engaged in efforts to undermine the 2024 Summer Olympic Games in Paris via fake news, altered photos, and AI-enhanced video content. The aim of the campaigns, according to a report from Microsoft, is to spread fear about the possibility of violence at the games as well as damage the reputation of the International Olympic Committee (IOC). The groups responsible for the content, Storm-1679 and Storm-1099, began the campaign last summer with a full-length film featuring a fake Netflix intro, fake reviews, an AI-generated narration seemingly meant to sound like Tom Cruise, and even the involvement of celebrities who were commissioned via Cameo to promote it, unbeknownst to them. Since then, the campaign has posted videos that purport to be from the CIA and other France-based agencies themed around corruption within the IOC and terrorist threats at the games. Russia has been banned from the Olympics by the IOC before, and its legacy consists of cyberattacks and a doping scandal. Read more.
TikTok scrambles to stop attacks on high-profile accounts
A campaign compromising celebrity and brand accounts on TikTok is currently being addressed by administrators at TikTok, who have not revealed details regarding the nature of the attacks or the mitigation techniques they’re using to prevent them. Affected accounts include Paris Hilton, Sony, and CNN and, according to researchers, likely involved malware sent through TikTok’s direct messages. The motivation behind the takeovers is not clear, as the compromised accounts have yet to post anything to the platform. TikTok’s statement regarding the compromises is vague, allegedly to avoid the threat actors responsible from gleaning details about how the company plans to stop them. “We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed,” said TikTok. Read more.
Ransomhub is rebrand of Knight ransomware
Ransomhub, a new ransomware strain targeting the healthcare sector and other businesses all over the globe, is a rebrand of Knight ransomware. Ransomhub rose to popularity recently for its involvement in attacks against Change Healthcare. Ransomhub is advertised on RAMP, a cybercrime forum, and employs phishing and spear phishing campaigns to breach victims. The group has pledged not to carry out attacks against Cuba, China, or North Korea, otherwise known as the Commonwealth of Independent States. Knight ransomware, itself a rebrand of Cyclops ransomware, was first discovered in May of 2023 but shut down in February 2024 after its source code was put up for sale. Read more.
FBI warns about crypto scams disguised as job ads
Scammers are using phony remote employment ads to pose as recruiters from real companies and steal cryptocurrency from unsuspecting US-based job seekers, according to a warning issued by the FBI. “The scammers pose as a legitimate business, such as a staffing or recruiting agency, and may contact victims via an unsolicited call or message,” said the agency. The FBI goes on to say that the criminals “design the fake job to have a confusing compensation structure that requires victims to make cryptocurrency payments to earn more money or ‘unlock’ work, and the payments go directly to the scammer.” The FBI says that job hunters should be wary of “recruiters” asking for crypto payments to their alleged employer as part of their work, which is typically suspiciously easy tasks. Read more.
Collections agency data breach affects 3.2 million
Financial Business and Consumer Solutions, a debt collection agency “specializing in collecting unpaid debts from consumer credit, healthcare, commercial, auto loans and leases, student loans, and utilities,” has revealed that a February data breach has impacted more than 3.2 million people. The information exposed in the breach includes full names, social security numbers, birth dates, account data, and driver’s license numbers. Data breach notifications have been sent to people affected to inform them of actions they should take, although now arriving three months after the actual intrusion took place. Recipients also get a free 24-month credit monitoring and identity restoration service. The company has not disclosed the nature of the breach but has assured people that it has implemented more robust security measures. Read more.
AI expert warns of havens for dangerous products
Self-described deepfake/AI “cartographer” Henry Adjer is warning that differing AI regulations in various countries could create “AI tax havens” in nations with fewer laws. “Different countries will have different attitudes, and my concern is we might see the equivalent of AI tax havens – countries that intentionally do not put in place legislation, [in order] to attract investment … but it leads to irresponsible products being built which go on to have a global impact.” The impact he refers to is one in which people can create deepfake audio recordings or videos in countries where doing so is not illegal and then set them loose upon the world at large. Adjer warns that the prevalence of deepfakes will also provide deniability for bad actors engaging in destructive behavior and a “poisoning of the well, a corrupting of the information ecosystem.” Read more.
AI startup Hugging Face reports unauthorized access
Hugging Face has disclosed that “unauthorized access” to its AI model and resource-sharing platform Spaces has been detected. The AI startup went on to specify that the intrusion related to Spaces secrets, which are “private pieces of information that act as keys to unlock protected resources like accounts, tools and dev environments.” Some secrets, the company believes, may have been accessed by an unknown third party. The breach occurred at a challenging time for Hugging Face, as its security practices have been seen as inadequate by researchers who found vulnerabilities within the company’s code and evidence that some code “covertly installed backdoors and other types of malware on end-user machines.” Read more.
Ticketmaster breach affects 560 million customers
Live Nation, Ticketmaster’s parent company, revealed in an SEC filing that the data of 560 million users was exposed in a security breach affecting a “third-party cloud database environment containing company data.” The 1.3TB of information stolen from the company, which includes customer names, addresses, phone numbers, email addresses, credit card data, and more, is being sold on the dark web as a “one-time sale” for $500,000. The threat actor responsible for the breach is known as ShinyHunters and is also behind the online data listing. Live Nation is playing down the severity of the breach, assuring that “the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
