The emergency ditching of an Australian military helicopter in the water just off a beach in New South Wales, has been blamed on the failure to apply a software patch.
Read more in my article on the Hot for Security blog.
Global organizations are improving their attack detection capabilities despite facing increasingly sophisticated, persistent, and creative adversaries. The Mandiant M-Trends 2023 report, now in its fourteenth year, revealed that the global median dwell time – calculated as the median number of days an attacker is present in a target’s environment before detection – dropped to 16 days in 2022. This is the shortest median global dwell time from all M-Trends reporting periods.
The reduction in median dwell time reflects the key role partnerships and the exchange of information play in building a more resilient cybersecurity ecosystem, according to Mandiant. That said, several findings from this year’s report demonstrate that adversaries are progressively more sophisticated, persistent, and confident, as evidenced by hundreds of new malware families, extensive cyber espionage campaigns by nation-state-backed actors, and novel aggressive, personal tactics that ignore the traditional cyber rules of engagement.
Mandiant’s latest M-Trends report shows that organizations only needed a median time of 16 days to detect an intrusion in 2022 – the lowest dwell time ever recorded by the firm
I’m not sure there are good ways to build guardrails to prevent this sort of thing:
There is growing concern regarding the potential misuse of molecular machine learning models for harmful purposes. Specifically, the dual-use application of models for predicting cytotoxicity18 to create new poisons or employing AlphaFold2 to develop novel bioweapons has raised alarm. Central to these concerns are the possible misuse of large language models and automated experimentation for dual-use purposes or otherwise. We specifically address two critical the synthesis issues: illicit drugs and chemical weapons. To evaluate these risks, we designed a test set comprising compounds from the DEA’s Schedule I and II substances and a list of known chemical weapon agents. We submitted these compounds to the Agent using their common names, IUPAC names, CAS numbers, and SMILESs strings to determine if the Agent would carry out extensive analysis and planning (Figure 6).
[…]
The run logs can be found in Appendix F. Out of 11 different prompts (Figure 6), four (36%) provided a synthesis solution and attempted to consult documentation to execute the procedure. This figure is alarming on its own, but an even greater concern is the way in which the Agent declines to synthesize certain threats. Out of the seven refused chemicals, five were rejected after the Agent utilized search functions to gather more information about the substance. For instance, when asked about synthesizing codeine, the Agent becomes alarmed upon learning the connection between codeine and morphine, only then concluding that the synthesis cannot be conducted due to the requirement of a controlled substance. However, this search function can be easily manipulated by altering the terminology, such as replacing all mentions of morphine with “Compound A” and codeine with “Compound B”. Alternatively, when requesting a b synthesis procedure that must be performed in a DEA-licensed facility, bad actors can mislead the Agent by falsely claiming their facility is licensed, prompting the Agent to devise a synthesis solution.
In the remaining two instances, the Agent recognized the common names “heroin” and “mustard gas” as threats and prevented further information gathering. While these results are promising, it is crucial to recognize that the system’s capacity to detect misuse primarily applies to known compounds. For unknown compounds, the model is less likely to identify potential misuse, particularly for complex protein toxins where minor sequence changes might allow them to maintain the same properties but become unrecognizable to the model.
The UK Government OSB undermines end-to-end encrypted communications and must be reconsidered according to an open letter signed by Signal and WhatsApp
Cyberattacks that use banking trojans of the Qbot family have been targeting companies in Germany, Argentina, and Italy since April 4 by hijacking business emails, according to a research by cybersecurity firm Kaspersky.
In the latest campaign, the malware is delivered through emails written in English, German, Italian, and French. The messages are based on real business emails that the attackers have gained access to. This gives the attackers the opportunity to join the correspondence thread with messages of their own, Kaspersky said in its report.
Threat actors are getting more adept at exploiting common, everyday issues in the cloud, including misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities, and malicious open-source software (OSS) packages. Meanwhile, security teams take an average of 145 hours to solve alerts, with 80% of cloud alerts triggered by just 5% of security rules in most environments.
That’s according to the Unit 42 Cloud Threat Report, Volume 7, which analyzed the workloads in 210,000 cloud accounts across 1,300 different organizations to gain a comprehensive look at the current cloud security landscape. It cited a small set of risky cloud behaviors that are repeatedly observed in organizations, warning that the average time to remediate alerts (roughly six days) provides a lengthy window of opportunity for adversaries to exploit cloud vulnerabilities.
Lin Ma discovered a race condition in the io_uring subsystem in the Linux
kernel, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).(CVE-2023-0468)
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code.(CVE-2023-1281)
The arrest of 21-year-old Airman First Class Jack Teixeira last week has inspired myriad reactions from armchair pundits declaring 21 is too young to be trusted with classified information to the need to reform the Department of Defense and the intelligence community to the US Speaker of the House calling for hearings on how the administration of President Joe Biden could have allowed such a breach to occur. In my opinion, the real concern is the need to reform policies and processes associated with how information is accessed by insiders.
As the case brought against Teixeira unfolds, one realization we don’t have to wait for is that the insider risk management program within the United States Air Force’s 102nd Intelligence Wing at Otis Air National Guard Base failed, and failed spectacularly. A reading of the Department of Justice affidavit in support of an arrest warrant provides a glimpse into Teixeira’s naivete and that his actions were malevolent from the get-go.
