- Europe Leads the Charge, Google and MITRE follow: Groundbreaking AI Regulation Takes Effect
- CLOP Ransomware Strikes US Government Agencies
- Beware of the Wolf in Researcher's Clothing: Fake GitHub Repos Spreading Malware
- GravityRAT Strikes Again: Android Spyware Targets WhatsApp Backups
- SMS-Based Location Tracking Is the New Threat to Privacy
- The European Union Parliament has approved the Artificial Intelligence Act, setting a new precedent in AI governance.
- High-risk AI applications such as biometric identification, critical infrastructures, educational systems, and employment practices will be particularly affected.
- The Act aims to balance AI innovation with safeguarding fundamental rights, mitigating potential risks while encouraging technological advancement.
- A European Artificial Intelligence Board will be established to ensure consistent application of the law across the EU.
The European Union's new Artificial Intelligence Act is a major step in AI regulation, balancing the need to reduce risks while fostering tech innovation. The Act focuses on "high-risk" AI systems - those with potential to greatly impact health, safety, or fundamental rights - which will undergo stringent checks prior to market launch. This approach ensures increased transparency and accountability for AI system providers.
The establishment of a European Artificial Intelligence Board ensures the Act's consistent application across EU member states, while also facilitating the exchange of best practices. This board is a key part of the Act's aim for accountability, especially from major tech companies, and for maintaining ethical AI deployment.
However, striking the right balance to avoid over-regulation is important. Google and MITRE have also suggested AI regulation frameworks, emphasizing risk mitigation without hampering innovation and considering AI-associated threats.
- US federal government agencies, including the Department of Energy (DoE), were targeted in a global ransomware attack exploiting vulnerabilities in MOVEit software.
- The attack was allegedly orchestrated by the notorious CLOP ransomware gang, Lace Tempest.
- The cyber criminal exploited a critical software vulnerability in MOVEit, a file-transfer software developed by Progress Software Corp.
- The ransomware group has promised to delete all government data, making no ransom demands.
The attack was allegedly carried out by the notorious CLOP ransomware gang, Lace Tempest, which exploited a critical software vulnerability in MOVEit, a file-transfer software developed by Progress Software Corp. The vulnerability allowed remote attackers to gain unauthorized access to the software's database. The cyber criminals exploited this vulnerability to breach two DoE entities, Oak Ridge Associated Universities and a contractor affiliated with the Waste Isolation Pilot Plant (WIPP), a radioactive waste storage facility located around Carlsbad, New Mexico.
Interestingly, the ransomware group has promised to delete all government data, making no ransom demands. This is a departure from the usual modus operandi of ransomware gangs, which typically demand a ransom in exchange for not releasing the stolen data. The reasons behind this unusual behavior remain unclear. The attack has exposed over 2,500 instances of MOVEit Transfer to the public internet as of May 31, with the majority located in the United States. This highlights the widespread impact of the attack and the potential for significant damage.
In the wake of this attack, organizations should reassess their cybersecurity strategies and consider implementing additional measures to protect against future threats. These could include regular software updates, employee training on cybersecurity best practices, and the use of advanced threat detection and response solutions.
- Malicious GitHub repositories have been discovered, posing as Signal and WhatsApp 0-day exploits.
- The repositories are linked to a non-existent company called High Sierra Cyber Security, with profiles using headshots of legitimate security researchers.
- The repositories contain malicious code that downloads and executes a binary on the victim's operating system.
- Security researchers are urged to exercise caution when downloading code from GitHub and to thoroughly review any code before execution.
The malicious actors behind this scheme have gone to great lengths to appear legitimate, creating a network of fake accounts and even impersonating real security researchers. The repositories they've created claim to be exploits for well-known products, such as Discord, Google Chrome, and Microsoft Exchange Server. However, they contain malicious code that downloads and executes a binary on the victim's operating system. This binary is a clear piece of malware, with a high detection rate on VirusTotal.
The threat actors' persistence in maintaining this scheme suggests they believe it will eventually be successful. Security researchers and the broader community must be cautious when downloading code from GitHub or any other open-source platform. It's crucial to review any code before executing it and to avoid using anything that isn't fully understood.
- The Android remote access trojan, GravityRAT, has been updated and found in the messaging apps BingeChat and Chatico.
- This new version of GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files.
- The malicious apps provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.
- The campaign is highly targeted, with potential victims specifically chosen and lured to the malicious website.
The GravityRAT Android trojan, known for its cross-platform capabilities, has evolved with a new ability to exfiltrate WhatsApp backups and receive commands to delete files. This updated version is being distributed through trojanized versions of the legitimate open-source OMEMO Instant Messenger Android app, specifically the BingeChat and Chatico apps. These apps are not available on Google Play but are distributed through rogue websites promoting free messaging services.
The campaign is highly targeted, with potential victims specifically chosen and lured to the malicious website. The group behind the malware, tracked by ESET under the name SpaceCobra, remains unknown. However, there are speculations that the threat actor is based in Pakistan, with recent attacks involving GravityRAT targeting military personnel in India and among the Pakistan Air Force.
Once installed, GravityRAT interacts with its command and control server, exfiltrating the device user's data and waiting for commands to execute. It is capable of exfiltrating call logs, contact list, SMS messages, device location, basic device information, and files with specific extensions for pictures, photos, and documents. The new capabilities to exfiltrate WhatsApp backups and receive commands to delete files are unique and not typically seen in Android malware, indicating a significant evolution in the malware's functionality.
- The research paper presents a novel method of location tracking using SMS delivery reports.
- The method exploits the timing side-channel of SMS delivery reports to infer a user's location.
- The attack can be executed by anyone who knows the victim's phone number and can send them an SMS.
- The privacy issues caused by the SMS timing attack have been recognized by GSMA, who are considering several countermeasures, including artificial delays and robust SMS filtering.
This research paper “Freaky Leaky SMS: Extracting User Locations by Analyzing SMS Timings”, reveals a new, privacy-threatening method of location tracking exploiting SMS delivery report timings. The attack can be executed by anyone who knows the victim's phone number and can send them an SMS. This makes it a significant threat to privacy.
The researchers conducted a large-scale study collecting Delivery Report timing measurements across three continents, nine countries, and ten operators to create their training dataset. They sent SMS messages between devices and measured Delivery Reports return times within and across different setups in the US, multiple countries in Europe, and the Middle East.
The researchers used a Multilayer Perceptron (MLP) classifier to perform location classification. The model comprises a stochastic gradient descent solver, softmax and sigmoid activations for multiclass and binary classifications respectively, and three layers with 10, 40, and 10 nodes respectively for the input, hidden, and output layers.
The privacy issues caused by the SMS timing attack have been recognized by GSMA, who are considering several countermeasures, including artificial delays and robust SMS filtering. However, the researchers point out that the attack is hard to mitigate without a significant overhaul of the cellular network specifications.
Sign up for Mandos Way
Join Mandos Way for tips and strategies to make security your business accelerator. Receive weekly cybersecurity briefs for you and your team.
No spam. Unsubscribe anytime.