TODAY'S TOP 5
McCrary Institute for Cyber & Critical Infrastructure Security
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
DOD IG SAYS AI OFFICE IS LAGGING: The Defense Department’s Office of Inspector General?found that the Chief Digital and Artificial Intelligence Office was overdue in developing an implementation plan for the DoD’s AI Adoption Strategy and AI policy, according to its report evaluating the office’s effectiveness in artificial intelligence services and governance. As a result of the delays in issuing these key foundational documents, the CDAO’s roles and responsibilities for DoD data, analytics and AI were not clearly defined to DoD stakeholders, the OIG said, which could impact whether DoD may effectively implement or achieve AI’s full benefits.
NEW TRAINING PLATFORM AT CISA: CISA Learning, a learning management system that will modernize training and education for its employees and key stakeholders, was launched by the agency . It aims to ensure the same training available to CISA personnel is also available free of charge to the nation’s veterans and partners from federal, state, local, tribal and territorial levels of government. CISA Learning replaces the Federal Virtual Training Environment (FedVTE). As CISA transitions to this centralized platform, all training programs will now be housed under one unified system.
FULL STEAM AHEAD FOR ENERGY CYBER OFFICE: The Energy Department's new office for sharing cyber intelligence is moving beyond its pilot phase and going fully operational, building off work within the the past year to alert industry to cyber threats to energy systems, Federal News Network reports .?The Energy Threat Analysis Center officially transitioned to “steady state operations” in October, according to ETAC Director Elke Sobieraj. DOE’s Office of Cybersecurity, Energy Security and Emergency Response established ETAC as a pilot program in April 2023.
CLOCK TICKS FOR CYBER BILLS: A House Republican late last week introduced legislation to untangle the country’s jumble of cybersecurity regulations, keeping the bipartisan proposal alive as Congress finishes its work for 2024, The Record reports . This and a companion Senate bill would require the White House’s national cyber director to establish a committee to harmonize the patchwork of cyber requirements imposed on the private sector by federal regulatory agencies.?
DISINFORMATION OFFICE ON THE ROPES: As the Trump administration prepares to take office and Republicans get set to assume majority control of the House and Senate, a small-but-controversial federal office focused on disinformation campaigns abroad is fighting for its life, FedScoop reports . Funding for the State Department’s Global Engagement Center is set to terminate at the end of the year as officials there argue that AI has made their work more important.
CYBER FOCUS PODCAST
In the latest episode of Cyber Focus , host Frank Cilluffo interviews Kiersten Todt, president of Wondros, a creative firm focused on social and policy change. Todt, who previously served as chief of staff at the Cybersecurity and Infrastructure Security Agency (CISA) and as a senior advisor on the Senate Homeland Security Committee, shares insights on the challenges and advancements in cybersecurity workforce development, public-private collaboration, and the critical role of community involvement in cybersecurity initiatives.
SUBSCRIBE TO CYBER FOCUS:?YouTube ?|?Spotify ?|?Apple Podcasts
FROM McCRARY EXPERTS
WATCH: George Barnes on IT Brews
McCrary senior fellow George Barnes joined IT Brew for a conversation on where his priorities lie in the current threat landscape including cyber vulnerabilities within U.S. infrastructure, election security, how to prepare for quantum to be used as a nation-state hacking tool, how cybercriminals use AI and, ultimately, what’s keeping him up at night. (CYBERSECURITYEXCELLENCE.ITBREW.COM )
CYBER AND CI UPDATES
ATTACKS AND INCIDENTS
Breaches
Space tech giant Maxar discloses employee data breach
Hackers breached U.S. satellite maker Maxar Space Systems and accessed personal data belonging to its employees, the company informs in a notification to impacted individuals. The threat actor compromised the company network about a week before the discovery of the intrusion. Immediately after discovering the unauthorized access, the company took action to prevent the hackers from reaching further into the system. (BLEEPINGCOMPUTER.COM )
British software company Microlise confirms hackers compromised corporate data
The attack on Microlise had knock-on effects on the company’s customers, including leaving British prison vans?without functioning tracking systems or panic alarms. In?a statement?to the London Stock Exchange, Microlise said “the vast majority of customer systems are back online, with some remaining customers conducting their own security verifications before enabling users.” (THERECORD.MEDIA )
Ransomware attack on Oklahoma Medical Center impacts 133,000
The public, not-for-profit?healthcare?system discovered the attack on September 8, 2024, when ransomware was deployed, but the attackers had access to its systems for at least three days prior. According to the medical center, the attackers accessed and encrypted certain files between September 5 and September 8, and exfiltrated information from its systems. (SECURITYWEEK.COM )
AI training software firm iLearningEngines says it lost $250,000 in recent cyberattack
In?an 8-K regulatory filing?on Monday with the U.S. Securities and Exchange Commission, iLearningEngines said it had experienced a “cybersecurity incident” that saw an unnamed threat actor recently access the organization’s network. The company said once inside the company’s network, the hacker “misdirected a $250,000 wire payment,” which iLearningEngines has not been able to recover.?(TECHCRUNCH.COM )
Germany: Compensation owed to Facebook data breach victims
Millions of German?Facebook?users whose data was illegally obtained and leaked in a major security breach are eligible for compensation,?Germany's Federal Court of Justice (BGH) ruled on Monday. The court in the southwestern city of Karlsruhe, Germany's highest court for civil cases,?said that the basic loss of control over data online was grounds for damages — without plaintiffs having to prove any specific financial losses, misuse of the data or even that they have been particularly concerned. (DW.COM )
Cybercrime
Black Friday turning into Black Fraud Day, says UK cybersecurity chief
The festive season had become “prime time for cybercriminals” as consumers hunted for deals, said Richard Horne, the chief executive of GCHQ’s National Cyber Security Centre (NCSC). Fraudsters were “targeting bargain hunters with increasingly sophisticated scams, sometimes crafted using AI, making them harder to detect,” he added. (THEGUARDIAN.COM )
MORE: Fake discount sites exploit Black Friday to hijack shopper information (THEHACKERNEWS.COM )
Healthcare
Gang shaking down Alabama-based pharmacy group for second ransom payment
The cybercriminal gang on its dark web site claims AAP already paid a $1.3 million ransom for a decryptor key - but still owes another $1.3 million the association agreed to pay in exchange of an Embargo promise to delete the stolen data. A countdown on Embargo's dark website on Monday threatens to release the data from the Scottsboro-based pharmacy group by midweek unless the ransom is paid. (HEALTHCAREINFOSECURITY.COM )
Malware
‘ClickFix’ cyberattacks for malware deployment on the rise
ClickFix is a unique social engineering technique that uses dialogue boxes containing fake error messages to lure people into copying, pasting and running malicious content on their own computer. It is effective at?bypassing security protections?as the user infects themselves. This tactic preys on users’ desire to fix problems themselves rather than alerting their IT team or anyone else. (INFOSECURITY-MAGAZINE.COM )
New stealthy BabbleLoader malware spotted delivering WhiteSnake and Meduza stealers
Evidence shows that the loader is being used in several campaigns targeting both English and Russian-speaking individuals, primarily singling out users looking for generic cracked software as well as business professionals in finance and administration by passing it off as accounting software. (THEHACKERNEWS.COM )
Phishing
U.S. government agencies impersonated in aggressive DocuSign phishing scams
For instance, a contractor might receive a DocuSign notification that looks like it’s from the Department of Health and Human Services or the Maryland Department of Transportation. Once a targeted individual opens the malicious document, they are asked to provide sensitive information or authorize fraudulent transactions. (HACKREAD.COM )
MORE: One in five DocuSign spoofs targeting businesses found to be impersonations of regulatory agencies (SCWORLD.COM )
Fake Donald Trump assassination story used in phishing scam
The story, which implies it is from the New York Times (NYT), describes Trump in a critical condition after being shot by Iranian agents. Curiously, it also states that the information is “classified”. By impersonating brands, like news media organizations, attackers create an image of credibility.?(INFOSECURITY-MAGAZINE.COM )
Ransomware
Akira ransomware racks up 30-plus victims in a single day
Akira ransomware group?has updated its data-leak website on Nov. 13-14, listing more than 30 of its latest victims — the highest single-day total since the gang?first began its malicious operations?in March of last year. The group spares no one, targeting a variety of industries globally, and operates using a ransomware-as-a-service (RaaS) model, stealing sensitive data before encrypting it. (DARKREADING.COM )
Upstart SafePay ransomware group uses LockBit builder, claims 22 victims
Huntress discovered that an obscure operation known as SafePay was behind two incidents targeting its customers in October 2024. Huntress was able to investigate the group and reverse engineer its ransomware binary due to weakness in both the SafePay website and the threat actor’s binary obfuscation method. (SCWORLD.COM )
Scams
Microsoft 365 Admin portal abused to send sextortion emails
Over the past week, people on?LinkedIn,?X, and the?Microsoft Answers forum?reported receiving sextortion emails through the Microsoft 365 Message Center, allowing the scams to bypass spam filters and land in the inbox. The sextortion emails came from "[email protected] ," which?may feel?like a phishing address but is actually?Microsoft's legitimate email address. (BLEEPINGCOMPUTER.COM )
How a husband hacked the scammers who targeted his wife, then gave investigators the info he learned?
Grant Smith, founder and president of Phantom Security Group, made it his mission to track down the group responsible for tricking his "very, very smart" and tech-savvy wife with faked U.S. Postal Service texts. The "smishing" group that Smith cracked resulted in recovering data from more than 390,000 distinct credit cards. (PEOPLE.COM )
THREATS
Critical infrastructure
Thames Water’s IT ‘falling apart’ and is hit by cyberattacks, sources claim
Thames, the UK’s largest water and waste treatment company, is on a “knife-edge” according to sources, with its resilience in doubt because it depends on an array of creaking – often Victorian – infrastructure. While plenty of attention has been paid to its pipes, trunk mains and sewage overflows, less well understood is another big problem: its computer systems. (THEGUARDIAN.COM )
Healthcare
How to protect telemedicine from cyberattacks
There are crucial strategies for healthcare organizations to fortify their defenses against cyberattacks in the virtual care landscape. With more patients accessing care virtually, organizations must prioritize timely software updates and secure communication channels, and identity verification methods to protect sensitive health data. (HEALTHCAREITNEWS.COM )
Vulnerabilities
VMware discloses exploitation of hard-to-fix vCenter server flaw
The?difficult-to-fix vulnerability, first revealed at a Chinese hacking contest five months ago, is now being exploited in the wild, the company confirmed on Monday.?The virtualization technology giant issued an urgent update to its VMSA-2024-0019 bulletin with an acknowledgement of the live attacks and a call-to-arms for customers to prioritize the deployment of available fixes. (SECURITYWEEK.COM )
Fake Bitwarden ads on Facebook push info-stealing Chrome extension
Fake Bitwarden password manager advertisements on Facebook are pushing a malicious Google Chrome extension that collects and steals sensitive user data from the browser. Bitwarden is a popular password manager app with a "free" tier featuring end-to-end encryption, cross-platform support, MFA integration, and a user-friendly interface. (BLEEPINGCOMPUTER.COM )
Critical vulnerabilities found in Mongoose Web Server Library, updating to v7.15 remediates issues
Nozomi Networks?identified 10 critical vulnerabilities in the latest 7.14 version of the Mongoose Web Server Library. These vulnerabilities are found in Mongoose’s TLS implementation and can be exploited by sending a maliciously crafted TLS packet to the target device. An attacker, with minimal network access, could crash a device using the Mongoose library by sending such a packet. (INDUSTRIALCYBER.CO )
Mozilla 0Din warns of ChatGPT sandbox flaws enabling Python execution
Cybersecurity researchers at Mozilla’s 0Din have identified multiple vulnerabilities in OpenAI’s?ChatGPT?sandbox environment. These flaws grant extensive access, allowing the upload and execution of Python scripts and the retrieval of the language model’s internal configurations. Despite reporting five distinct issues, OpenAI has so far addressed only one. (HACKREAD.COM )
ADVERSARIES
Iran
Cyber Authority warns of Iranian hackers attempting to breach Israeli orgs
In one attack, the Iranian hacker group sent an email titled "Israel's International Tourism Program," encouraging recipients to click on a link that launches a "phishing" attack aimed at infiltrating organizational computer networks, spying, and taking control. The group, MuddyWater, operates primarily in the?Middle East?and Israel. Their activity focuses on cyber espionage and targeted campaigns. (JPOST.COM )
North Korea
North Korean IT worker network tied to BeaverTail phishing campaign
Twelve months ago, the malware was used as a part of a phishing campaign called ‘Contagious Interview ‘ involving a North Korean threat cluster tracked as CL-STA-240. The campaign has since evolved, with new malware versions including a downloader compiled using the cross-platform Qt framework. This allows attackers to deploy malware on both macOS and Windows systems from a single source code. (INFOSECURITY-MAGAZINE.COM )
Russia
Russian man accused of being connected to multimillion-dollar ransomware gang is extradited to U.S.
The news is a win for the FBI, which typically has to wait until alleged ransomware kingpins leave Russia to try to arrest them because the US and Russia do not have an extradition treaty. Last year, ransomware operatives using Phobos extorted a North Carolina-based children’s hospital for about $100,000, and a California-based public school system for about $300,000, according to the indictment. (CNN.COM )
Suspected Russian hackers infect 20,000 IoT devices
Trend Micro?uncovered?a proxy botnet campaign that it attributed to a threat group tracked as Water Barghest that uses automated tools to scale up its activities - enabling the hacker to list the compromised devices on a proxy marketplace for renting almost immediately. "The whole procedure between initial infection and making the bot available as a proxy on the marketplace may take no longer than 10 minutes," Trend Micro said. (GOVINFOSECURITY.COM )
Apple still blocking access to news apps and podcasts at Moscow’s request
According to a?statement?by Radio Free Europe/Radio Liberty, for the third time Apple has blocked the outlet’s Russian-language news app following a request from Russia's media regulator, Roskomnadzor, which has designated RFE/RL as an "undesirable" organization in Russia. The app remains available in other countries. (THERECORD.MEDIA )
GOVERNMENT AND INDUSTRY
Artificial intelligence
Trump revoking Biden AI EO will make industry more chaotic, experts say
While the Biden AI executive order rules focus on model developers, its repeal could present some challenges for enterprises to overcome. Some companies, like?Trump-ally Elon Musk’s xAI, could benefit from a repeal of the order, while others are expected to face some issues.?This could include having to deal with a patchwork of regulations, less open sharing of data sources, less government-funded research and more emphasis on voluntary responsible AI programs.?(VENTUREBEAT.COM )
War and peace in the age of artificial intelligence
From the recalibration of military strategy to the reconstitution of diplomacy, artificial intelligence will become a key determinant of order in the world. Immune to fear and favor, AI introduces a new possibility of objectivity in strategic decision-making. But that objectivity, harnessed by both the warfighter and the peacemaker, should preserve human subjectivity, which is essential for the responsible exercise of force.?(FOREIGNAFFAIRS.COM )
Army Cyber AI monitoring tool moves to 12-month pilot
The tool, dubbed?Panoptic Junction or PJ, is part of the Defense Department’s solution to fulfill a key directive in President Joe Biden’s watershed artificial intelligence executive order that, among many tasks, directed the secretary of defense to develop plans for, conduct and complete an operational pilot to “identify, develop, test, evaluate and deploy AI capabilities, such as large-language models, to aid in the discovery and remediation of vulnerabilities in critical United States Government software, systems, and networks.” (DEFENSESCOOP.COM )
Explicit deepfake scandal shuts down Pennsylvania school
An AI-generated nude photo scandal has shut down a Pennsylvania private school. On Monday, classes were canceled after parents forced leaders to either resign or face a lawsuit potentially seeking criminal penalties and accusing the school of skipping mandatory reporting of the harmful images. (ARSTECHNICA.COM )
ServiceTitan names LLMs from Microsoft, OpenAI as risk factors
ServiceTitan had an 1,150-word risk factor on how its use of AI, specifically generative AI, could adversely impact its business. It warned that LLM hallucinatory behavior could produce “inaccurate” information and engage in “discriminatory” behaviors; its LLMs could infringe on others’ copyright or intellectual property; and using LLMs means exposing more data to potential hacks and harm. Then again, if it can’t get enough data, it may not be able to continue offering AI products or building new ones.?(TECHCRUNCH.COM )
Healthcare
Health systems band together to test and publicly rank top AI models
As?Google,?Amazon,?Microsoft?and OpenAI rapidly expand their suite of artificial intelligence offerings, providers say they don’t know how to compare the efficacy of products or determine which tool might best meet their specific needs. A group of health systems, led by Boston-based Mass General Brigham, is hoping to solve that problem.?(MEDTECHDIVE.COM )
IT
Lawrence Livermore’s El Capitan supercomputer is officially fastest in the world
The El Capitan supercomputer housed at Lawrence Livermore National Laboratory in California was officially named the fastest supercomputer in the world, processing a peak of 2.7 exaflops and able to perform 1.742 quintillion calculations per second, a 20-fold increase over the lab’s flagship system, Sierra. (NEXTGOV.COM )
LEGISLATIVE UPDATES
VETERANS AFFAIRS HEARING:?On?Nov. 20 ?at 9 a.m.?the House Veterans Affairs Subcommittee on Technology Modernization will hold an oversight hearing on ”VA Cybersecurity: Protecting Veteran Data from Evolving Threats.”
WORLDWIDE THREATS HEARINGS: On Nov. 20 at 10 a.m., the House Homeland Security Committee will hold a hearing to review global threats with agency leaders.
On Nov. 21 , the Senate Homeland Security and Governmental Affairs Committee will also hear from agency leaders in a hearing to review current threats to the homeland.
EVENTS
CYBERSECURITY FUTURES FORUM: This cybersecurity conference on Nov. 20 in Tyons Corner, Va., hosted by GovExec’s Nextgov/FCW, Defense One and Washington Technology, will feature leaders from federal and defense sectors to tackle pressing cybersecurity challenges. Mainstage discussions will focus on proactive measures, regulatory updates and emerging cybersecurity standards essential for operational readiness.?
OPERATIONAL TECHNOLOGY: Join government leaders and industry experts on Dec. 3 in Washington, D.C., to explore advanced strategies for protecting U.S. operational technology and critical infrastructure and understand the biggest threats facing these sectors today.
FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | FACEBOOK
SUBSCRIBE TO THE CYBER FOCUS PODCAST?YOUTUBE ?|?SPOTIFY ?|?APPLE PODCASTS