CYBERSECURITY / DEFENSE / INTELLIGENCE

  • In the big data era, pre-training large vision transformer (ViT) models on massive datasets has become prevalent for enhanced performance on downstream tasks. 

    Visual prompting (VP), introducing learnable task-specific parameters while freezing the pre-trained backbone, offers an efficient adaptation alternative to full fine-tuning. 

    However, the VP’s potential security risks remain unexplored. The following cybersecurity analysts from Tsinghua University, Tencent Security Platform Department, Zhejiang University, Research Center of Artificial Intelligence, Peng Cheng Laboratory recently uncovered a novel backdoor attack threat for VP in a cloud service scenario, where a threat actors can attach or remove an extra “switch” prompt token to toggle between clean and backdoored modes stealthily:-

    • Sheng Yang
    • Jiawang Bai
    • Kuofeng Gao
    • Yong Yang

    SWARM – Switchable Backdoor Attack

    Researchers’ proposed Switchable Attack against pre-trained Models (SWARM) optimizes a trigger, clean prompts, and the switch token via clean loss, backdoor loss, and cross-mode feature distillation, ensuring normal behavior without the switch while forcing target misclassification when activated.

    ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

    Experiments across visual tasks demonstrate SWARM’s high attack success rate and evasiveness.

    Here an offending cloud service provider acts as a threat actor, this is based on existing backdoor attack scenarios.

    These users submit task datasets and pre-trained models to the threat actor’s service. 

    They also apply the trained API of attackers while attempting to identify and mitigate backdoors.

    The opponent does not manage user samples but controls prompt inputs. In normal mode, a model should handle triggered patterns without any detection.Β 

    In backdoor mode, it should have a high attack success rate. This attack aims at hiding triggers by predicting correctly on clean samples and misclassifying them when a “switch” trigger is added. 

    Clean and Backdoor mode (Source – Arxiv)

    The threat actor understands the downstream dataset and tunes prompts accordingly through visual prompting.

    Visual prompting adds learnable prompt tokens after the embedding layer so that during training only these task-specific parameters are modified.

    Users may use augmented clean data and mitigation techniques such as Neural Attention Distillation (NAD) and I-BAU to address this risk.

    While, the researchers’ experiments reveal that SWARM achieves 96% ASR against NAD and over 97% against I-BAU, as a result outperforming baseline attacks by a significant margin. 

    This shows SWARM’s ability to evade detection and mitigate threats, which consequently increases the danger to victims. 

    Researchers propose a new brand of backdoor attack on adapting pre-trained vision transformers with visual prompts, which insert an extra switch token for making invisible transitions between clean mode and backdoored one.Β 

    SWARM indicates a new realm of attack mechanisms while also providing acceleration for future defense research.

    Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

    The post SWARM – Switchable Backdoor Attack Against Pre-trained Models appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A critical remote code execution vulnerability has been discovered in the git clone which was assigned with CVE-2024-32002 and the severity has been given as 9.0 (Critical).

    This particular vulnerability existed in the clone command that is widely used. 

    Git released a security advisory last week which stated that about a Remote Code Execution.

    In addition to this, the vulnerability was described to be existing due to the submodules that can be drafted in a particular way that could result in remote code execution.

    However, this vulnerability has been fixed by git and patched versions have been released. 

    Vulnerability Analysis – CVE-2024-32002

    According to the reports shared with Cyber Security News, git employs submodules which are repositories nested within other repositories.

    Every submodule has a designated directory path within the main directory which is tracked for ensuring changes are recorded accurately. 

    On observing further, it was discovered that there were case-insensitive filesystems in the default settings on Windows (A/modules/x) and macOS (a/modules/x).

    Both of these paths are treated the same which is the main core reason behind the remote code execution. 

    In addition to this, symlinks or symbolic links are file system objects that act as pointers to other files or directories.

    However, this symlink can be used for referencing other parts of the repository making it exploitable for malicious purposes.

    ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

    Source Code Analysis

    As per the commit of the fix of this vulnerability, there were changes only to two files which were builtin/submodule–helper.c and t/t7406-submodule-update.sh. 

    Git Commit (Source: Amalmurali.net)

    Additionally, the message on the commit indicated that “On case-insensitive filesystems, however, we blindly replace a directory that has been created as part of the clone operation with a symlink when the path to the latter differs only in case from the former’s path…..we must be careful not to follow symbolic links.

    Otherwise we may follow a symbolic link pointing to a gitdir (which are valid symbolic links!) e.g. while cloning.”

    builtin/submodule–helper.c file and t/t7406-submodule-update.sh

    The change on this file contained the clone_submodule which handles the cloning process for submodules.

    There was a new function dir_contains_only_dotgit which checks if a directory contains only a .git file or directory. 

    Further, the clone_submodule was added with a Git check to determine whether the submodule directory exists or is empty.

    In case of empty, the operation is aborted to avoid overwriting. Whereas the t/t7406-submodule-update.sh is a test script that has multiple information like Global configuration, hook repository setup, and main repository setup.

    Exploitation Of The RCE

    With all the information, the root issue existed in the case-insensitive filesystems treating paths like A/modules/x and a/modules/x as identical.

    To exploit this, a malicious symlink must be crafted within the submodule, which is named with a case variation of the submodule’s path, but at the end, it points to the .git/ directory.

    When a victim clones the malicious repository, Git creates a directory for the submodule, which is supplied with a symlink that makes the malicious symlink to be replaced in the newly created directory.

    If the script is crafted in a different way, it could lead to executing remote code on the vulnerable instance system. 

    A proof of concept has been published by the researcher, which can be triggered using the following command:

    git clone –recursive git@github.com:amalmurali47/git_rce.git

    PoC on Windows (Source: GitHub/@amalmurali47)
    PoC on Mac (Source: GitHub/@amalmurali47)

    Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

    The post Critical Git Vulnerability Let Attackers Execute Remote Code : PoC Published appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • In the final episode in a three-part series, we revisit the guns-vs.-butter debate and take another look at the consequences of Washington’s “porcupine” strategy for Taiwan’s defense.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • In a recent encounter, the Akira ransomware group exploited a novel privilege escalation technique, where the attackers infiltrated the victim’s virtual environment to steal the NTDS.dit file, a critical file containing domain user accounts and passwords stored on domain controllers. 

    The stolen information likely granted them escalated privileges within the network, potentially allowing them to move laterally and launch a ransomware attack more quickly.Β 

    Akira, a cyber threat actor active since March 2023, targets SMEs globally to infiltrate networks by exploiting weak VPNs (compromised credentials or vulnerabilities), as it breached an agricultural company through an unpatched single-factor VPN.

    ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

    Once inside, they leveraged a remote code execution vulnerability (CVE-2021-21972) in the VMware vCenter server to upload a malicious file, implant a reverse shell, and gain full remote access. 

    Akira exploited a remote code execution (RCE) vulnerability in the victim’s VMware vCenter server to upload a malicious JSP file named “healthcheck_beat.jsp,” which likely contained a web shell script that allowed Akira to establish a reverse shell connection back to their attacker machine using NetCat. 

    With this foothold, it used stolen vCenter administrator credentials to create a new virtual machine on the ESXi hypervisor, providing Akira with a stealthy environment to launch further attacks within the compromised network, potentially evading detection by security tools.Β 

    It targeted the Active Directory database (NTDS.dit) on a domain controller to steal credentials and gain lateral movement, as they achieved this by shutting down the controller’s VM, copying the VMDK files to another VM, and then extracting the NTDS.dit and SYSTEM hive files. 

    The attack chain identified by S-RM during its forensic investigation into the incident.

    The SYSTEM hive provided the decryption key for the password hashes stored in NTDS.dit, allowing Akira to crack passwords or use pass-the-hash techniques, and with these stolen credentials, it escalated privileges to a domain administrator account and compromised additional systems within 6 hours. 

    According to S-RM, it deployed ransomware on a target network by exploiting legacy infrastructure, where the attacker leveraged a legitimate backup client process, beremote.exe, to deliver the ransomware binary to servers.Β 

    This method bypassed security defenses because the backup client was a trusted process already integrated into the system’s environment, where exploiting remote backups for ransomware deployment is uncommon as attackers usually aim to destroy backups to prevent recovery. 

    Akira ransomware, like the China-backed UTA0178, uses advanced techniques to bypass security, escalate privileges, and move laterally within a network by exploiting unpatched vulnerabilities and targeting weaknesses in multi-factor authentication.Β 

    To defend against such attacks, organizations must implement a robust patch management system, enforce multi-factor authentication, and conduct regular security assessments, which can help prevent attackers from gaining a foothold and quickly spreading through the network.

    Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

    The post Akira Ransomware Escalates Privilege To Exfiltrate Domain Controller Files appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The U.S. Securities and Exchange Commission (SEC) has made changes to Regulation S-P that require financial companies to report data leaks within 30 days. This is a big step toward protecting consumers.

    This new rule, which goes into force on May 15, 2024, is meant to strengthen and update the protections for consumer financial information.

    ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

    Background on Regulation S-P

    Since its introduction in 2000, SEC Regulation S-P has required broker-dealers, investment companies, and licensed investment advisers to protect customer records and information with written policies and procedures.

    The rule also explains how to properly delete consumer report information and requires privacy policy notices and opt-out choices.

    Over the years, improvements in technology have made data breaches more likely, which is why these changes were needed.

    Key Amendments to Regulation S-P

    Incident Response Program

    The changes say that institutions that are protected must create, use, and keep up with an incident response program.

    This program needs to be able to find, stop, and fix instances of customer data being accessed or used without permission. Some critical parts of the incident response method are:

    • How to Find and Respond: Steps to find and stop people from accessing or using customer information without permission.
    • Steps to stop more unauthorized entry or use are called containment and control.
    • Oversight of Service Providers: Rules to make sure service providers do their jobs right and are watched over.

    Customer Notification Requirement

    One of the changes’ most essential parts is that people who will be impacted must be notified promptly.

    When covered organizations learn of a breach, they have 30 days to tell people whose sensitive information has been accessed or used without their permission. This must be in the notice:

    • Details of the Incident: Information about what kind of breach it was and how big it was.
    • Breached Data: Details about the data that was lost or stolen.
    • Protective Measures: Advice on how people who are impacted can keep themselves safe.

    Information with a broader range

    The changes also allow Regulation S-P to address more types of information.

    This includes private, non-public information that the bank gathers about its customers and information it gets from other banks about their customers.

    Additional Provisions

    Along with these important changes, the changes to Regulation S-P also include the following:

    • Protections and Rules for Disposal: Covers all nonpublic personal information that was added.
    • Needs for Keeping Records: Covered institutions, but not funding websites, must keep written records that show they follow the rules for disposal and safety.
    • Privacy Notice Every Year: Under the FAST Act, institutions don’t have to send a yearly privacy notice if certain conditions are met.
    • Extension to Transfer Agents: The rules for both protection and disposal now apply to transfer agents who are registered with the SEC or another regulatory body.

    The changes the SEC made to Regulation S-P are a big step toward keeping people’s banking information safe.

    By requiring financial companies to report data breaches within 30 days, the SEC hopes to ensure that customers are quickly informed and can take the steps they need to stay safe.

    These changes show how data security is changing and how vital means are needed to protect private data in a world that is becoming more and more digital.

    Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

    The post Financial Organizations Need To Disclose Data Breach Within 30-Days appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Multiple threat actors are weaponizing a design flaw in Foxit PDF Reader to deliver a variety of malware such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. “This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands,” Check Point said in a technical report. “This exploit has been used by multiple

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Two Chinese people have been arrested on suspicion of being involved in a complex cryptocurrency trading scam that stole more than $73 million from people.

    In the Central District of California, the accusation was made public.

    It charges Daren Li, 41, and Yicheng Zhang, 38, with planning to launder money and six counts of actually laundering money in another country.

    Daren Li, a native of China and St. Kitts and Nevis, was caught at Hartsfield-Jackson Atlanta International Airport on April 12.

    I was then taken to the Central District of California.

    He lives in China, Cambodia, and the United Arab Emirates.

    Yicheng Zhang was caught in Los Angeles. He lives in Temple City, California.

    ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

    Deputy Attorney General Lisa Monaco said, “Cryptocurrency investment scams take advantage of the fact that virtual currency and online communications don’t have borders to steal money from people.”

    “There are a lot of different kinds of fraud in the crypto markets, and the criminals who do it aren’t safe from the law.”

    Information about the fraud scheme

    Court papers say that Li, Zhang, and their partners ran an international group that “pig butchered” money from cryptocurrency investment scams.

    People who were tricked sent millions of dollars to U.S. bank accounts created in the names of many fake companies.

    These accounts were only used to help hide the money that was made from theft.

    After the money was cleaned, it was moved to different bank accounts and coin platforms in the United States and other countries.

    This was done to hide where the money came from, what it was used for, who owned it, and who controlled it.

    More than $73 million was moved through U.S. banks and sent to bank accounts in The Bahamas. These funds were then changed into the cryptocurrency Tether (USDT).

    Over $341 million worth of virtual assets were sent to a cryptocurrency wallet that was part of the plan.

    Principal Deputy Assistant Attorney General Nicole M. Argentieri said, “The indictment says that Li and Zhang helped launder millions of dollars that were stolen from people who fell for cryptocurrency investment scams.”

    “Laundering money is a key part of these scams because it lets thieves move illegal money quickly and try to make it look like it’s real.”

    Β Ongoing Efforts to Combat Financial Fraud

    Li and Zhang’s arrests show that the Justice Department is serious about ending fraud in all financial markets and upsetting the whole cybercrime ecosystem.

    U.S. Attorney Martin Estrada for the Central District of California stressed the importance of people being aware of these kinds of scams so they can be stopped.

    “While my office will continue to find and punish these dishonest schemes, I urge everyone to learn about pig butchering and other types of financial fraud to keep their families safe from such harmful behavior.”

    β€œBeing alert is key.” The U.S. Secret Service’s Global Investigative Operations Centre is leading the investigation, with help from many other domestic and foreign agencies.

    They are working with the U.S. Attorney’s Office for the Central District of California and the National Cryptocurrency Enforcement Team (NCET) of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) to bring the charges.

    Li and Zhang could get up to 20 years in jail for each count if found guilty.

    The case shows how hard law enforcement is working to stop people from using cryptocurrency and other digital assets illegally.

    Anyone who thinks they may have been a victim of cryptocurrency investment scams should report it to IC3.gov with the subject line “Pig Butchering PSA” and as much information as possible.

    A charge, or “indictment,” is only a suggestion. A person is thought to be free until proven guilty beyond a reasonable doubt in a court of law.

    Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

    The post Two Chinese Nationals Arrested for Stealing $73M+ Via Cryptocurrency Scams appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • With Russia pressing from the east and Trump polling well in the west, the EU needs a dramatic increase in its defense capabilities.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • All developers want to create secure and dependable software. They should feel proud to release their code with the full confidence they did not introduce any weaknesses or anti-patterns into their applications. Unfortunately, developers are not writing their own code for the most part these days. 96% of all software contains some open-source components, and open-source components make

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ