Angriff auf Privatpersonen, Datendiebstahl, Datenschutz, News

North Korean Hackers Behind Hospital Data Breach in Seoul

Data on more than 830K people exposed in the 2021 cyberattack.

The Korean National Police Agency (KNPA) has concluded that a cyberattack on Seoul National University Hospital (NSUH), one of the largest hospitals in the country, was the handiwork of North Korean hackers.

The attack occurred between May and June 2021.

The police report does not explicitly name any particular threat group, but it is believed that the Kimsuky group is responsible for the attack, according to South Korean media reports. Using seven servers based in multiple countries, including South Korea, the attackers infiltrated the hospital’s internal network, leading to data exposure for 831,000 people, most of whom were patients.

After two years conducting analytical investigations to identify the threat actors, South Korean law enforcement stated they attributed the attack to North Korean hackers based on the intrusion techniques, website registration, the IP addresses linked to threat actors in that country, and the North Korean language and vocabulary used in the attack.

“We plan to actively respond to organized cyberattacks backed by national governments by mobilizing all our security capabilities,” the KNPA stated in a press release, “and to firmly protect South Korea’s cybersecurity by preventing additional damage through information sharing and collaboration with related agencies.”


(c) Dark Reading

Why Economic Downturns Put Innovation at Risk & Threaten Cyber Safety

Supplementing staff by hiring hackers to seek holes in a company’s defense makes economic sense in a downturn. Could they be cybersecurity’s unlikely heroes in a recession?

For 30 years, Silicon Valley Bank (SVB) helped technology clients transform the region, and the world, growing to hold more than $200 billion in total assets and $175 billion in deposits. And then — spectacularly, and seemingly overnight — collapsing. While the Federal Reserve’s bailout might have helped to staunch the bleeding for now, those who witnessed the events of early March firsthand will not forget what those first few frantic, uncertain days were like. The psyches of the investor class and tech sector may not recover for some time to come.

This could manifest as skittishness among the investor class, impacting tech of all focuses, but I’m particularly concerned about cybersecurity startups. A downturn in cybersecurity funding threatens not just the sector itself, but all who rely on cybersecurity innovation to keep threat actors at bay.

A recent article makes interrelated points to this effect. One: SVB has long been central to the banking needs of the cybersecurity community in the US and abroad, with public reports that roughly 500 cybersecurity vendors banked with them. Two: investors spooked by the collapse of SVB will likely be “re-evaluating practices” in the short term. Already, cybersecurity funding in 2023 had dipped to 2020 numbers. The collapse of SVB serves to intensify that trend.

One approach that has helped organizations shore up their defenses and continue innovating since the heyday of investment will be critical in this tumultuous time. Ethical hackers have always been one of the best solutions to rising rates of cybercrime. These hackers replicate the strategies of bad actors to penetrate systems and inform organizations about vulnerabilities. At this precarious economic moment, with funding collapsing and companies slashing security budgets, they’re an especially viable alternative.

A downturn in funding for innovative solutions such as hackers against a perpetually intensifying cyberthreat landscape could be disastrous for both private and federal security needs. But, before explaining exactly why hackers are so important, it’s worth sketching out our current threat and economic landscape in greater detail.

Cybercrime and the Economy

There’s no shortage of statistics illustrating the challenging state of our current cybersecurity landscape. One report says cyberattacks on industrial firms increased by 87% in 2022. Meanwhile, another report shows cyberattacks against governments jumped by 95% in the second half of 2022. According to another study, the global cyberattack volume surged by 38% last year. The financial impact is significant; according to IBM, the average total cost of a data breach has risen to $4.35 million.

In many IT departments, keeping on top of their attack surface is an ongoing, hour-to-hour struggle.

The looming economic downturn will make these problems worse. Economic turbulence and spikes in cybercrime go hand in hand. In the aftermath of the 2009 recession, cybercrime rose an average of 40% over the following two years. It was clear again when Interpol and others noted a surge in cybercrime during the COVID-19 pandemic.

In other words: Economic turbulence means less investment in cybersecurity and a surge in cybercrime. Put simply, it’s a recipe for disaster.

Why Hackers Are the Answer

You can see why reduced funding for cybersecurity startups is a major problem. Any reduction in funding will be compounded by yet another problem: individual companies cutting back on cybersecurity spending.

I believe that hackers represent the most viable solution to mounting budget concerns. It’s not just that hackers are as inventive as the criminals they’re trying to combat — prone to exactly the kind of left-of-field, unconventional thinking that routinely allows criminals to infiltrate well-fortified organizations. It’s that — in a word — they’re affordable. And what could matter more in times of economic stress?

Companies can access a diverse range of expertise and knowledge by using hackers, who bring a different mindset to your system’s defenses and let you know quickly where your vulnerabilities are and how you might remediate them. Many organizations now routinely incentivize hackers to bring vulnerabilities to their attention through vulnerability reward programs such as bug bounty. That being said, such programs aren’t meant to replace your very important cybersecurity teams. They’re meant to supplement them, reduce internal burnout, and overall make your organization more successful.

Hackers have been largely mainstreamed by now, but a not-insignificant number of organizations remain resistant to the concept, on the logic that inviting hackers of any kind or motivation into one’s internal systems may prove risky. But this is an outdated way of thinking. For proof, look no further than the US government, which is not usually known to take radical risks in the cybersecurity department. And yet: in 2017, the Department of Defense (DoD) launched Hack the Pentagon, and since then, hackers have alerted the DoD to more than 45,000 vulnerabilities. The US isn’t alone in this: Insights generated by hackers are now a routine part of government security in countries all over the world, including Singapore and the UK.

A few years from now, we’ll have a clearer picture of how precisely the collapse of SVB impacted the tech sector and the larger economy. In the here and now, though, all organizations need to stay on high alert. It would be a shame to weather an economic downturn just to lose it all from a major breach. The latter scenario, at least, is preventable — and hackers can help.


(c) Dark Reading

Dragos Employee Hacked, Revealing Ransomware, Extortion Scheme

Attackers compromised the personal email of a new employee and, when the initial attack failed, attempted through socially engineered messages to get the company to pay them off.

One might argue that security companies should be more prepared than most organizations to defend against a cyberattack. That was the case at Dragos recently, when a known ransomware group attempted, but failed, to extort money from the security vendor in a socially engineered attack that occurred after it compromised a new employee’s personal email account.

The attack occurred May 8, with attackers gaining access to SharePoint and the Dragos contract management system by compromising the personal email address of a new sales employee prior to the person’s start date, the company revealed in a blog post on May 10. The attacker then used stolen personal information from the hack to impersonate the employee and accomplish initial steps in Dragos’ employee-onboarding process.

Dragos’ swift response prevented the threat group from achieving its objective — the deployment of ransomware — or to engage in further activity, such as lateral movement, escalating privileges, establishing persistent access, or making changes to any Dragos infrastructure, the company said.

“No Dragos systems were breached, including anything related to the Dragos Platform,” according to the post.

However, the attackers didn’t stop there. Once the group’s initial compromise and ransomware strategy was unsuccessful, it quickly “pivoted to attempting to extort Dragos to avoid public disclosure,” the company said. Attackers did this by sending a flurry of messages to Dragos executives that threatened to reveal the attack publicly if they weren’t paid off.

In a creepy twist, the group even went so far as to get personal in the messages, making references to the family members and personal contacts of Dragos employees, as well as sending emails to the personal accounts of senior Dragos employees to elicit a response.

The company ultimately decided that “the best response was to not engage with the criminals,” and managed to contain the incident, according to the post.

Still, Dragos acknowledged a data loss that will likely result in a public leak of information because the company chose not to pay a ransom, which is “regrettable.” However, the company sticks by its decision not to engage or negotiate with cybercriminals, it said.

Promoting Cyber Transparency

It’s not often that security companies reveal attacks that they experience, but Dragos said that it decided to do so as an example of how to defuse a security breach before it causes significant damage. Also, it wanted to “help de-stigmatize security events,” the company wrote in the post.

Indeed, as security incidents have proven time and again, no company — not even ones that seem firmly locked down — is safe from attack, particularly with the current level of attackers’ cleverness and sophistication when using social engineering tactics, according to one security expert.

In fact, the Dragos narrative “is one of the rare stories where you hear about a truly crafted social engineering attempt and a quick discovery which led to minimal damage,” Roger Grimes, data-driven defense evangelist at security firm KnowBe4, wrote in an emailed statement.

The incident should drive awareness to “the very active social-engineering scams that are happening in the hiring space” in particular, he wrote. In fact, not every company is so lucky, nor defends itself so well, Grimes noted.

“There are also many stories of employers hiring fake employees who existed only to steal and scam from their employer, fake employees who actually didn’t know their job and just collected paychecks until they were fired, and scams the other way where legitimate job seekers were scammed while seeking employment,” he says.

Response & Internal Mitigation Is Key During a Cyberattack

While an investigation into the incident is ongoing, Dragos was able to prevent a more serious attack due to swift response and a layered security approach by the company, which should provide a blueprint for others, according to the post.

The company investigated alerts in its corporate security information and event management (SIEM) and blocked the compromised account, as well as activated its incident response retainer with a service provider, and engaged a third-party monitoring, detection and response (MDR) provider to manage incident-response efforts.

“Verbose system activity logs enabled the rapid triage and containment of this security event,” the company said.

To avoid similar attacks in the future, the company said it has added an additional verification step to further harden its new-employee onboarding process to ensure that the technique used in the attack won’t be repeated.

Moreover, since every thwarted access attempt was due to multistep access approval, Dragos also is evaluating the expansion of this strategy to other systems based on how critical they are.

Cyber-Resilience Advice for Other Organizations

Dragos also made some recommendations for other organizations to help avoid a similar attack scenario. The company advised that the hardening of identity and access management infrastructure and processes is ultimately a baseline linchpin for every organization looking for cyber resilience. And it’s a good idea to implement separation of duties across the enterprise so no one person has full run of the environment.

Organizations also should apply the principle of least privilege to all systems and services, and implement multifactor authentication wherever possible, the company said.

Other steps for avoiding a similar employee compromise like Dragos suffered include applying explicit blocks for known bad IP addresses, and scrutinizing incoming emails for typical phishing triggers, including the email address, URL, and spelling.

Finally, organizations overall should ensure that continuous security monitoring is in place, with tested incident response playbooks ready in case an attack does occur, according to Dragos.


(c) Dark Reading

Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks

Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks.

The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week.

The 11 vulnerabilities allow “remote code execution and full control over hundreds of thousands of devices and OT networks – in some cases, even those not actively configured to use the cloud.”

Specifically, the shortcomings reside in the cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks to remotely manage and operate devices.


Successful exploitation of the vulnerabilities could pose severe risks to industrial environments, allowing adversaries to sidestep security layers as well as exfiltrate sensitive information and achieve code execution remotely on the internal networks.

Even worse, the issues could be weaponized to obtain unauthorized access to devices in the network and perform malicious operations such as shutdown with elevated permissions.

OT Networks

This, in turn, is made possible due to three different attack vectors that could be exploited to compromise and takeover cloud-managed IIoT devices through their cloud-based management platforms:

  • Weak asset registration mechanisms (Sierra Wireless): An attacker could scan for unregistered devices that are connected to the cloud, get their serial numbers by taking advantage of the AirVantage online Warranty Checker tool, register them to an account under their control, and execute arbitrary commands.
  • Flaws in security configurations (InHand Networks): An unauthorized user could leverage CVE-2023-22601, CVE-2023-22600, and CVE-2023-22598, a command injection flaw, to gain remote code execution with root privileges, issue reboot commands, and push firmware updates.
  • External API and interfaces (Teltonika Networks): A threat actor could abuse multiple issues identified in the remote management system (RMS) to “expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices.”

The six flaws impacting Teltonika Networks – CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2586, CVE-2023-2587, and CVE-2023-2588 – were discovered following a “comprehensive research” carried out in collaboration with Claroty.

“An attacker successfully exploiting these industrial routers and IoT devices can cause a number of impacts on compromised devices and networks, including monitoring network traffic and stealing sensitive data, hijacking internet connections and accessing internal services,” the companies said.

OTORIO said cloud-managed devices pose a “huge” supply-chain risk and that a single vendor compromise can act as a backdoor for accessing several OT networks in one sweep.

The development comes a little more than three months after the cybersecurity company disclosed 38 security flaws in the wireless industrial Internet of Things (IIoT) devices that could provide attackers a direct path to internal OT networks and put critical infrastructure at risk.

“As the deployment of IIoT devices becomes more popular, it’s important to be aware that their cloud management platforms may be targeted by threat actors,” security researcher Roni Gavrilov said. “A single IIoT vendor platform being exploited could act as a ‘pivot point’ for attackers, accessing thousands of environments at once.”


(c) Ravie Lakshmanan

Why High Tech Companies Struggle with SaaS Security

It’s easy to think high-tech companies have a security advantage over other older, more mature industries. Most are unburdened by 40 years of legacy systems and software. They draw some of the world’s youngest, brightest digital natives to their ranks, all of whom consider cybersecurity issues their entire lives.

Perhaps it is due to their familiarity with technology that causes them to overlook SaaS security configurations. During the last Christmas holiday season, Slack had some private code stolen from its GitHub repository. According to Slack, the stolen code didn’t impact production, and no customer data was taken.

Still, the breach should serve as a warning sign to other tech companies. Stolen tokens allowed threat actors to access the GitHub instance and download the code. If this type of attack can happen to Slack on GitHub, it can happen to any high-tech company. Tech companies must take SaaS security seriously to prevent resources from leaking or being stolen.

App Breaches: A Recurring Story

Slack’s misfortune with GitHub wasn’t the first time a GitHub breach occurred. Back in April, a stolen OAuth token from Heroku and Travis CI-maintained OAuth applications were stolen, leading to an attacker downloading data from dozens of private code repositories.

MailChimp, a SaaS app used to manage email campaigns, experienced three breaches over 12 months spanning 2022-23. Customer data was stolen by threat actors, who used that data in attacks against cryptocurrency companies.

SevenRooms had over 400 GB of sensitive data stolen from its CRM platform, PayPal notified customers in January that unauthorized parties accessed accounts using stolen login credentials, and Atlassian saw employee data and corporate data exposed in a February breach.

Clearly, tech companies aren’t immune to data breaches. Protecting their proprietary code, customer data, and employee records that are stored within SaaS applications should be a top priority.

Reliance on SaaS Applications

A strong SaaS posture is important for any company, but it is particularly important for organizations that store their proprietary code in SaaS applications. This code is especially tempting to threat actors, who would like nothing more than to monetize their efforts and ransom the code back to its creators.

Tech companies also tend to rely on a large number and mix of SaaS applications, from collaboration platforms to sales and marketing tools, legal and finance, data warehouses, cybersecurity solutions, and many more – making it even more challenging to secure the entire stack.

Tech employees heavily depend on SaaS apps to do their day-to-day work; this requires security teams to strictly govern identities and their access. Moreover, these users tend to log into their SaaS apps through different devices to maintain efficiency, which may pose a risk to the organization based on the device’s level of hygiene. On top of this, tech employees tend to connect third-party applications to the core stack without thinking twice, granting these apps high risk scopes.

Learn how Adaptive Shield can help you secure your entire SaaS stack.

Controlling SaaS Access After Layoffs

The high-tech industry is known for periods of hyper-growth, followed by downsizing. Over the past few months, we’ve seen Facebook, Google, Amazon, Microsoft, LinkedIn, Shopify and others announce layoffs.

Deprovisioning employees from SaaS applications is a critical element in data security. While much of the offboarding of employees is automated, SaaS applications that are not connected to the company directory don’t automatically revoke access. Even those applications that are connected may have admin accounts that are outside the company’s SSO. While the primary SSO account may be disconnected, the user’s admin access through the app’s login screen is often accessible.

Organic Hyper Growth and M&As

At the same time, the industry is ripe with mergers and acquisition announcements. As a result of M&As, the acquiring company needs to create a baseline for SaaS security and monitor all SaaS stacks of merged or acquired companies, while enabling business continuity. Whether the hyper growth is organic or through an M&A, organizations need to be able to ensure access is right-sized for their users, at scale and rapidly.

Identity Threat Detection & Response

The majority of data breaches impacting tech companies stem from stolen credentials and tokens. The threat actor enters the system through the front door, using valid credentials of the user.

Identity Threat Detection and Response (ITDR) picks up suspicious events that would otherwise go unnoticed. An SSPM (SaaS Security Posture Management) solution with threat detection engines in place will alert when there is an Indicator of Compromise (IOC). These IOCs are based on cross-referencing of activities such as user geolocation, time, frequency, recurring attempts to login, excessive activities and more.

Securing High Tech’s SaaS

Maintaining a high SaaS security posture is challenging for high tech companies, who may mistakenly believe they are equipped and well trained to prevent SaaS attacks. SaaS Security Posture Management is essential to preventing SaaS breaches, while an SSPM with ITDR capabilities will go a long way toward ensuring that your SaaS data is secure.


(c) Ravie Lakshmanan

Microsoft Advisories Are Getting Worse

A predictable patch cadence is nice, but the software giant can do more.

As the 20th anniversary of Patch Tuesday approaches later this year, many are reflecting on the importance of the program that brought predictability to Microsoft security patch cycles. Patch Tuesday undoubtedly improved the security of customers, and the success of the program is reflected in the number of organizations that established their own Patch Tuesdays, including Adobe, Siemens, Schneider Electric, and more.

However, the quality of the vulnerability details published by Microsoft on Patch Tuesday has noticeably declined. Vulnerability descriptions used to be useful. Now they are reduced to being nearly meaningless. Compare, for example, the CVE descriptions in the National Vulnerability Database (NVD) for CVE-2017-0290 and CVE-2023-21554 (aka QueueJumper):


CVE-2017-0290 NVD Vulnerability Description

The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 does not properly scan a specially crafted file leading to memory corruption, aka “Microsoft Malware Protection Engine Remote Code Execution Vulnerability.”


CVE-2023-21554 Vulnerability Description

Microsoft Message Queuing Remote Code Execution Vulnerability

The first description details the affected components (Forefront and Defender), the affected versions (various Windows operating systems), the attack vector (crafted file), and a bug class (memory corruption). The second description lacks almost all of those details.

This is not an isolated case. In fact, Microsoft’s CVE descriptions have been on the decline for a number of years. The following graph maps the median length of Microsoft-created CVE descriptions over the past 20 years:

Graphic showing median length of Microsoft CVE description
Source: Jacob Baines

Impact on Defenders

The poor descriptions have a serious impact on practitioners. It’s difficult to prioritize vulnerabilities when it’s unclear what the problems are. How is anyone supposed to know if Microsoft Message Queuing Remote Code Execution Vulnerability is a big deal or not? How many practitioners know what Microsoft Message Queuing is, or what major pieces of software use it? Is it enabled by default? Does it listen on a network port? The practitioner is forced to go looking for all this information themselves.

To avoid that type of thing, MITRE created well-defined rules for what is required in a CVE description. These are the minimum requirements:

8.2.1 MUST provide enough information for a reader to have a reasonable understanding of what products are affected.

8.2.3 MUST include one of the following:

1. Vulnerability Type

2. Root Cause

3. Impact

Does Microsoft Message Queuing Remote Code Execution Vulnerability Satisfy These Requirements?

Maybe a very loose interpretation of 8.2.3 would be satisfied with Code Execution Vulnerability. But can anyone reasonably say that “Microsoft Message Queuing” describes the affected products?

At least Microsoft included a specific service for CVE-2023-21554 (Message Queuing). It didn’t even do that for CVE-2023-23415. That description doesn’t list any software, and instead opts to list an affected protocol:

CVE-2023-23415 Vulnerability Description

Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

CWE Assigned to Microsoft CVE

It’s unclear why MITRE allows Microsoft to ignore (or, generously, skirt) the CVE description rules. What is clear is that everyone else is worse off because of it. If appealing to the overburdened practitioner isn’t enough, we can actually measure the impact of Microsoft’s bad CVE descriptions on NIST’s per CVE common weakness enumeration (CWE) ID assignment.

For every CVE in NIST’s NVD, it attempts to assign a CWE. When the vulnerability contains insufficient information to assign any specific CWE, then NIST assigns NVD-CWE-noinfo. Basically, “this CVE has insufficient details for us to know what the weakness is.”

Back in 2015, NIST assigned NVD-CWE-noinfo to only a few Microsoft CVEs. In 2022, the majority of Microsoft CVEs received the NVD-CWE-noinfo designation.

Graphic showing CWE assigned to Microsoft CVE
Source: Jacob Baines

NIST’s effort to assign CWE to each CVE helps with vulnerability prioritization and makes it easier to map vulnerabilities to CAPEC and/or MITRE ATT&CK. NVD CWE are used by a host of downstream projects, including MITRE’s own CWE Top 25. Recent Microsoft vulnerabilities are largely excluded from these activities, because Microsoft has chosen to provide insufficient information to even assign a CWE to its vulnerabilities.

Unfortunately, it’s not as if the information can be found in the Microsoft advisory itself, either. In fact, practitioners need to refer to outside sources, because Microsoft doesn’t keep its advisories up to date. For example, both CVE-2022-41080 and CVE-2019-1388 were added to the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities Catalog in 2023. Microsoft’s NVD entries correctly reflect that. But both Microsoft advisories state that the vulnerabilities haven’t been “exploited.” That’s because its advisories only reflect exploitation at the time of publication.

Microsoft Advisory Exploitability Table for CVE-2019-1388


The result is that Microsoft’s advisory is both out of date and lacks information. The NVD entry is up to date, but also lacks information. Thankfully, there are a host of third parties trying to plug the information gap. For example, Zero Day Initiative publishes a rundown of every Patch Tuesday. This is its description of CVE-2023-21554 (aka QueueJumper):

This is a CVSS 9.8 bug and receives Microsoft’s highest exploitability rating. It allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. This service is disabled by default but is commonly used by many contact center applications. It listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks. However, it’s not clear what impact this may have on operations. Your best option is to test and deploy the update.

This description contains important information that the CVE entry does not, such as:

1. Message Queuing is a service.

2. Message Queuing is disabled by default.

3. Message Queuing listens on TCP port 1801.

4. Exploitation may result in elevated privileges.

All of that is incredibly useful for defenders — information that should have appeared in the CVE dictionary and the NVD entry, but doesn’t. This is information that belongs in the CVE catalog for context, vulnerability prioritization, and historical safekeeping. Instead, already time-constrained defenders are put at a disadvantage because they’re forced to go hunting for third-party descriptions of every Microsoft vulnerability.


Microsoft’s Patch Tuesday is almost old enough to drink, but that isn’t reflected in the maturity of the program. A predictable patch cadence is nice, but the associated information produced by Microsoft is bad and has been trending that way for years. Microsoft can do much more, and it owes the community as much. Eight-word vulnerability descriptions should not and cannot be the norm.


(c) Dark Reading

VirusTotal AI code analysis expands Windows, Linux script support

Google has added support for more scripting languages to VirusTotal Code Insight, a recently introduced artificial intelligence-based code analysis feature.

While launched only with support for analyzing a subset of PowerShell files, Code Insight can now also spot malicious Batch (BAT), Command Prompt (CMD), Shell (SH), and VBScript (VBS) scripts.

Besides the list of additions included in Google’s announcement, BleepingComputer was also able to discover that the company added support for AutoHotkey (AHK) and Python (PY) scripting languages.

“Code Insight has broadened its support for script formats, moving beyond PowerShell to offer analysis for a variety of scripting languages,” VirusTotal founder Bernardo Quintero said.

To facilitate the analysis of larger files, Code Insight has also been updated to have an increased maximum file size limit, doubling the capacity for processing.

“Code Insight can now handle files twice the size it could before, and we’re not stopping there. We’re going to keep working on improving this aspect in the coming months,” Quintero added.

Additionally, the model has been improved to provide clearer and more specific high-level explanations, emphasizing the code’s behavior.

A revamped user interface now showcases only the start of the report (the first several sentences) by default, allowing users to expand the description if needed. This ensures the default view is not inundated with lengthy AI-powered analysis reports.

SH script analysis by VirusTotal Code Insight
ESXiArgs sample analysis by VirusTotal Code Insight (VirusTotal)

​VirusTotal announced the launch of Code Insight last month as an AI-based code analysis feature powered by the Google Cloud Security AI Workbench, which uses the Sec-PaLM large language model (LLM) fine-tuned for security use cases.

As Google explained, it analyzes potentially harmful files to describe their (malicious) behavior, making identifying which pose actual threats easier.

Code Insight is currently in its early stages of development, marking the beginning of a continuous and evolving process.

The roadmap ahead encompasses the following improvements:

  1. Expanding support for additional file types and sizes.
  2. Enabling analysis of binary and executable files.
  3. Enriching analysis by incorporating contextual information beyond the code itself.

VirusTotal is a web-based malware-scanning platform with over 500,000 registered users, owned by Google’s Chronicle security subsidiary.

It helps scan suspicious files and URLs for malicious content, such as viruses, worms, and trojans, by harnessing the power of more than 70 antivirus scanners and domain blocklisting services.


(c) Sergiu Gatlan

Airline exposes passenger info to others due to a ‘technical error’

airBaltic, Latvia’s flag carrier has acknowledged that a ‘technical error’ exposed reservation details of some of its passengers to other airBaltic passengers.

Passengers also reported receiving unexpected emails which addressed them by the name of another customer.

The Riga-based airline, incorporated as AS Air Baltic Corporation operates flights to 80 destinations and is 97% government-owned. Although the air carrier says the leak impacts a small percentage of its customers and that no financial or payment data was exposed, the airline has yet to disclose the total number of impacted passengers.

Accidental exposure leaks passenger bookings

Yesterday, multiple airBaltic passengers reported receiving emails that were addressed to someone else:

The airline also began emailing customers, informing them of a data leak that exposed their booking information to other passengers.

One such email was spotted by security researcher Erik Wynter, who shared it with BleepingComputer:

airBaltic email to customers
airBaltic’s email to customers sent over the weekend (Erik Wynter)

BleepingComputer was told that the exposed information may have included the passengers’ full names, birth dates, email addresses, etc.

Incident did not result from a cyber attack

An airBaltic spokesperson confirmed to BleepingComputer that the issue impacted 0.009% of its reservations from this year:

“We can confirm that on Friday, May 12, an internal technical problem was detected in the airBaltic e-mail distribution system, as a result of which a small number of passengers (approximately 0,009% of our clients this year) received an erroneous e-mail with the flight reservation information of another passenger,” airBaltic told BleepingComputer, and later clarifying that the percentage represents the impacted reservations, not passengers.

“This email did not contain payment method or other financial details, or sensitive information. The protection of personal data is very important to us, thus we can guarantee that in the incident the personal information of the non-involved passengers is safe and the incident has been contained.”

Considering airBaltic flew approximately 3.3 million passengers in 2022, the otherwise minute-looking percentage could mean the data exposure incident impacted hundreds of fliers.

Given the exposed data includes sensitive booking details such as the PNR/reservation number—knowledge of which could be used to modify an itinerary, some passengers expressed concern, urging the airline to issue them a new booking number.

“This has been done for passengers who contacted the airline individually and wanted it themselves,” airBaltic further told BleepingComputer.

The spokesperson states that the issues resulted from an “internal technical error” and that there is no malicious activity or external influence (such as from a cyber attack or a threat actor) that is reponsible for these issues.

“E-mail was sent out in language intended for the passenger whose data were included in the respective message, based on settings and language selection during the booking process,” the airline also tweeted, and the same has been observed by some passengers.

“The protection of personal data is very important to us, so we are thoroughly investigating this case and will contact all affected passengers within today. We guarantee that personal data of non-affected passengers is not compromised and the incident is currently contained. We apologize for any inconvenience caused.”

If you are an airBaltic customer who has been impacted by the issue, it may be worth getting in touch with the airline and have it issue you a fresh booking number.

Update, May 16th, 06:40 AM ET: Added clarification from airBaltic about the percentage representing impacting reservations.


(c) Ax Sharma

Brave unveils new “Forgetful Browsing” anti-tracking feature

The privacy-focused Brave Browser is introducing a new “Forgetful Browsing” feature that prevents sites from re-identifying you on subsequent visits.

This new feature will clear not only cookies at the sites you specify but also data in local storage and the cache when you close a website. While this will also automatically log users out of sites, it also prevents re-identification when they return to the site at a future time.

Users can enable “Forgetful Browsing” from the software’s settings menu, either for all websites (global default) or for a specified list of sites.

“When this option is set, Brave will clear first-party storage for the site a few seconds after there are no more open tabs for the site,” explains Brave Software’s announcement.

“Forgetful Browsing clears both explicitly stored values (e.g. cookies, localStorage, or indexedDB) and indirectly stored values (e.g. HTTP cache or DNS cache).”

The Brave Software team explained that although its browser offers robust protections against third-party tracking, the privacy issues that arise from first-party tracking remain somewhat unaddressed.

Focusing on first-party tracking

First-party tracking has taken the back seat in the privacy-protection considerations of browser engineers because users consciously choose what websites they visit and naturally have better control and a clearer understanding of where their data goes.

While first-party cookies are important for a good website experience, such as staying logged into a site or keeping track of read content, several risks are still associated with letting a website re-identify visitors indefinitely.

These risks include building rich user profiles for targeted advertising by aggregating more data, and associating multiple visitor accounts with the same person or same household, thus breaking privacy-proofing barriers.

Brave says that most modern web browsers already offer features or tools to deal with this problem. However, they’re either too fragmented, cumbersome to use, either too generic or too specific, or entirely hidden from the user.

Hence, the team decided to develop Forgetful Browsing as an integrated tool that will be easy to enable and disable and won’t require any user vigilance or specific intervention after setting up.

To set the global default setting for ‘Forgetful Browsing,’ head to Settings → Shields → Click “Forget me when I close a site.”

The 'Forgetful Browsing' setting on Brave nightly
The ‘Forgetful Browsing’ setting on Brave settings menu (Brave)

Website-specific situations like adding an entry or an exclusion from the global default will be as simple as navigating to the site, clicking on the shields icon on the right side of the URL bar, clicking “Advanced controls,” and then switching the toggle of the feature to the “on” position.

Site-specific option avialable on the Shields icon
Site-specific option on the URL bar

Brave clarifies that ‘Forgetful Browsing’ will apply to sites and not domains, contrary to how most settings in Shields work.

The new feature will be made available on Brave browser for the desktop version 1.53 (current stable is v1.51), while Android users will get ‘Forgetful Browsing’ a bit later, with version 1.54.


(c) Bill Toulas

The Week in Ransomware – May 12th 2023 – New Gangs Emerge

This week we have multiple reports of new ransomware families targeting the enterprise, named Cactus and Akira, both increasingly active as they target the enterprise.

The Cactus operation launched in March and has been found to exploit VPN vulnerabilities to gain access to corporate networks.

The encryptor requires an encryption key to be passed on the command line to decrypt the configuration file used by the malware. If the proper configuration key is not passed, the encryptor will terminate, and nothing will be encrypted.

This method is to evade detection by security researchers and antivirus software.

BleepingComputer also reported on the Akira ransomware, a new operation launched in March that quickly amassed sixteen victims on its data leak site.

The Akira operation uses a retro-looking data leak site that requires you to enter commands as if you’re using a Linux shell.

Akira data leak site
Akira data leak site
Source: BleepingComputer

We also learned about new attacks and significant developers in previous ones.

On May 7th, multinational automation firm ABB suffered a Black Basta ransomware attack, disrupting their network and factories.

ABB is the developer of numerous SCADA and industrial control systems (ICS) for energy suppliers and manufacturing, raising concerns about whether data was stolen and what it contained.

News also came out last week that the Money Message ransomware operation published source code belonging to MSI, which contained private keys for Intel Boot Guard.

Binarly warned that these leaked keys could be used to digitally sign UEFI malware that can bypass Intel Boot Guard on MSI devices.

Finally, researchers and law enforcement released new reports:

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee@malwrhunterteam@Ionut_Ilascu@demonslay335@struppigel@malwareforme@BleepinComputer@billtoulas@FourOctets@serghei@VK_Intel@fwosar@LawrenceAbrams@Seifreed@jorntvdw@DanielGallagher@LabsSentinel@BrettCallow@matrosov@binarly_io@Checkmarx@KrollWire@yinzlovecyber, and @pcrisk.

May 7th 2023

Meet Akira — A new ransomware operation targeting the enterprise

The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms.

New Cactus ransomware encrypts itself to evade antivirus

A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of “large commercial entities.”

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .qore extension.

May 8th 2023

Intel investigating leak of Intel Boot Guard private keys after MSI breach

Intel is investigating the leak of alleged private keys used by the Intel Boot Guard security feature, potentially impacting its ability to block the installation of malicious UEFI firmware on MSI devices.

May 9th 2023

New GlobeImposter ransomware variant

PCrisk found a new GlobeImposter ransomware variant that appends the .Suffering extension and drops a ransom note named how_to_back_files.html.

New Solix ransomware

PCrisk found a new ransomware variant that appends the .Solix extension.

New MedusaLocker ransomware

PCrisk found a new ransomware variant that appends the .newlocker extension and drops a ransom note named HOW_TO_RECOVER_DATA.html.

New BrightNite ransomware

PCrisk found a new ransomware variant that appends the .BrightNight extension and drops a ransom note named README.txt.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .gash extension.

May 10th 2023

New ransomware decryptor recovers data from partially encrypted files

A new ‘White Phoenix’ ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption.

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .SIGSCH extension and drops a ransom note named README_SIGSCH.txt.

New Army Signal ransomware

PCrisk found a new Xorist ransomware variant that appends the .zipp3rs extension.

May 11th 2023

Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers

An increasing number of ransomware operations are adopting the leaked Babuk ransomware source code to create Linux encryptors targeting VMware ESXi servers.

Multinational tech firm ABB hit by Black Basta ransomware attack

Swiss multinational company ABB, a leading electrification and automation technology provider, has suffered a Black Basta ransomware attack, reportedly impacting business operations.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .gatz extension.

May 12th 2023

FBI: Bl00dy Ransomware targets education orgs in PaperCut attacks

The FBI and CISA issued a joint advisory to warn that the Bl00dy Ransomware gang is now also actively exploiting a PaperCut remote-code execution vulnerability to gain initial access to networks.


(c) Lawrence Abrams