Plus: New York’s legislature suffers a cyberattack, police disrupt a global phishing operation, and Apple removes encrypted messaging apps in China.

Looking for love? Be careful what you wish for.

A loose-knit community of con artists known as Yahoo Boys has begun using real-time face-swap technology to woo victims with romance scams. Using a variety of tools and techniques, the scammers use AI-powered apps to make themselves look like entirely different people on video calls. Just remember: If someone you’ve never met IRL is asking you for money, just say no.

Elsewhere in the world of harmful deepfakes, two major websites used for creating fake nude images of people are now blocked in the United Kingdom. The censorship, which appears to be self-imposed, comes just days after the UK proposed legislation that would ban nonconsensual, sexualized AI-generated images.

A Russian cybercriminal gang called Cyber Army of Russia Reborn appears to have been created with the help of Sandworm, the notorious Russian military hacking unit that has carried out devastating cyberattacks against Ukraine for years. The difference? Cyber Army of Russia Reborn is even more brazen, taking credit for attacks against critical infrastructure in Europe and the United States.

Change Healthcare’s ransomware saga entered a new chapter this week. A cybercriminal group called RansomHub claims to be selling highly sensitive patient information stolen from the company. The sale follows RansomHub’s claims that it possesses terabytes of data stolen in a February attack by another ransomware gang known as AlphV or Black Cat, which received a $22 million payment in March. Change Healthcare says it has spent $872 million response to the ransomware attack as of March 31.

The biggest global surveillance program carried out by the US may be about to get bigger. A two-year renewal of Section 702 of the Foreign Intelligence Surveillance Act, which technically expired on Friday, will soon go up for a vote by the US Senate after passing the House last week. Included in the legislation is a provision that would greatly expand the number of businesses that could be conscripted to spy on behalf of the US government, which critics have called the “Stasi provision.” One of the largest lobbying firms for Big Tech companies has opposed the provision over fears that tech industry workers could be forced to become informants.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

There’s a kernel of truth in every good fiction, which is why the very real Defense Advanced Research Projects Agency, or Darpa, is a constant go-to for shows like the _X-Files_ and games like _Metal Gear Solid_. It tends to pop up whenever a shadowy government agency is needed to reverse engineer a stolen alien artifact or construct a giant killer robot. A Darpa announcement this Thursday, however, sounds almost too much like the opening sequence of a Hideo Kojima game: With the help of the US Air Force Test Pilot School, the agency says an experimental aircraft known as the X-62 was successfully flown by artificial intelligence during a simulated dogfight against a human pilot in an F-16. “The potential for autonomous air-to-air combat has been imaginable for decades,” US Air Force secretary Frank Kendall says, “but the reality has remained a distant dream up until now.”

**New York State Legislature Hit by Cyberattack**

Details are scant as to the impact, but for at least several hours this week, hackers felled computer systems supporting the work of New York’s state legislature. While an attack on something called the Legislative Bill Drafting Commission isn’t quite as jaw-dropping as one against a power plant or a naval base, the LBDC is one of a dozen required stops that legislation in New York must make en route to becoming law. Bills can’t be introduced, amended, or reviewed by committee without it, much less get a vote. Luckily, the agency reports it was able to get back on its feet within a few hours using a “backup system.” An investigation of the attack is ongoing.

**Police Disrupt Global Phishing Operation**

An armada of law enforcement agencies arrested 37 suspects around the world last weekend in an operation targeting LabHost, reportedly one of the world’s largest phishing-as-a-service platforms. The investigation was spearheaded by the London Metropolitan Police in cooperation with Europol. Investigators uncovered a whopping 40,000 phishing domains being operated by as many as 10,000 users worldwide, Europol says. LabHost charged a monthly fee of $249. That cybercriminals have discovered the psychological benefits of just-below pricing is yet another sign of the growing popularity and sophistication of these markets.

**Apple Removes Encrypted Messaging Apps in China**

Encrypted messaging apps WhatsApp, Signal, and Telegram have gone the way of Winnie the Pooh. Citing “national security concerns,” China ordered Apple to delete “certain apps” from its Chinese App Store this week, the tech behemoth announced (while neglecting to specify which ones). Apple reportedly met with Chinese authorities to express concern over how banning the apps would impact its users but relented after being met with a stone wall. “We are obligated to follow the laws in the countries where we operate,” the company said, “even when we disagree.” Apple is heavily dependent on China’s workforce to manufacture its products, and sales in the region have topped $70 billion in recent years. That Apple has become beholden to the Chinese government because of this is no longer much of a secret.

AI-Controlled Fighter Jets Are Dogfighting With Human Pilots Now

Chinese actors are ready and poised to do "devastating" damage to key US infrastructure services if needed, he said.

Source: KaimDH via Shutterstock

FBI Director Christopher Wray this week delivered what might be the starkest warning yet on the threat that China-backed hackers pose to US national and economic security.

In remarks at a Vanderbilt University\-hosted summit on modern conflict and emerging threats, Wray described Chinese hackers as outnumbering FBI personnel by at least 50 to 1 and standing poised to "wreak havoc" on US critical infrastructure at a moment's notice.

**Immediate and Imminent Threat**

Stakeholders across private industry and government need to treat the threat as immediate and implement plans to fortify networks and respond to attacks now, the nation's leading law enforcement official said.

"The \[People's Republic of China\] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage," Wray said. "Its plan is to land low blows against civilian infrastructure to try to induce panic and break America's will to resist."

Wray's comments build on repeated warnings in recent months from US officials — and the FBI itself — about a dangerous and systematic escalation in Chinese targeting of networks and systems belonging to organizations in critical infrastructure sectors. Wray and others have repeatedly described the intrusions as attempts by Chinese hackers to methodically pre-position themselves for attacks designed to disrupt telecommunications, energy, water, technology and other critical infrastructure services when needed.

China's cyberattackers are "giving the Chinese government the ability to wait for just the right moment to deal a devastating blow," Wray said. Beijing, he added, is building a capability to deter any US attempts to intervene in the event of a crisis between China and Taiwan.

**Multifaceted Attacks**

The ongoing attempts by Chinese hackers to establish and maintain a presence on critical infrastructure adds to the pressure that US organizations have had to deal with for more than a decade from China-backed cyber-espionage and cybercriminal groups. To support economic initiatives like Made in China 2025 and multiple separate five-year plans, Beijing has for years deployed cyber groups to systematically steal intellectual property and trade secrets from companies in key competitive sectors, Wray said.

Targets have included organizations in fields as diverse as biotech, aviation, artificial intelligence, agriculture, and healthcare. "The PRC is engaged in the largest and most sophisticated theft of intellectual property and expertise in the history of the world," Wray noted. "You could close your eyes and pull an industry or sector out of a hat and, chances are, Beijing has targeted it."

In recent months, the Volt Typhoon group has been one of the most visible faces of what the US regards as China's untrammeled aggression in cyberspace. The US Cybersecurity and Infrastructure Security Agency (CISA) and security vendors have, on multiple occasions this year, reported on the threat actor's intrusions into US critical infrastructure networks and operational technology environments with a view to gaining a presence on these networks and lying in wait for instructions to attack. Last year, The New York Times identified Volt Typhoon hitting military bases, prompting worried Biden administration officials to admit that the threat actor's malware was more endemic on US networks than previously thought.

**"Scattershot" and "Indiscriminate" Attacks**

Wray pointed to widespread attacks in 2021 that exploited zero-day vulnerabilities in Microsoft Exchange Server as one of the "most egregious examples" of China's "scattershot, indiscriminate, cyber campaigns," in recent memory. Those attacks involved China-backed Hafnium group deploying Web shells for remote access on thousands of corporate systems. The FBI — in an unprecedented move at the time — later obtained a court order to remotely remove those Web shells from thousands of infected systems before the threat actor could use them to inflict further damage.

In response to the growing threat, the FBI has mobilized its own field offices in the US and around the world to address the threat, Wray said. The agency is also working with US Cyber Command, the CIA, and foreign law enforcement agencies to disrupt Chinese hacking operations. The effort has included going after known hackers, malware developers, and the owners of support infrastructure like bulletproof hosting services and money launderers.

Private sector organizations can do their part by being more diligent about their cyber defense and response mechanisms and by sharing information that can prevent nascent threats from "metastasizing to other sectors" and businesses, Wray said. "We've seen the best outcomes in situations where a company made a habit of reaching out to their local FBI field office even before there was any indication of a problem, because that put everyone on the same page and contributed to the company's readiness."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat

A ransomware gang claimed responsibility for the attack, though it is unknown if a ransom was demanded or paid.

The UN City building located in Copenhagen, DenmarkSource: BERK OZDEMIR via Alamy Stock Photo

The United Nations Development Programme (UNDP) became the victim of a cyberattack in late March, which also impacted the IT infrastructure of the city of Copenhagen, Denmark. 

The UNDP received word of a data-extortion actor stealing its data, some of it related to human resources and procurement. 

As the agency continues to assess the scope of the attack, the UNDP noted in a statement that "actions were immediately taken to identify a potential source and contain the affected server."

The UNDP determined which data was exposed and who is at risk because of the breach. It's also been in contact with those who have been impacted, as well as with stakeholders, such as UN system partners. 

Though the UNDP has not confirmed who the threat actor was, 8Base, a ransomware gang, updated its website in early April, listing UNDP as one of its victims, along with three other entities. The group commented that information such as personal data, certificates, "a huge amount of confidential information," and invoices, among other things, were uploaded to the servers.

UNDP made no subsequent comment and didn't address whether a ransom has been demanded or paid.

**About the Author(s)**

UNDP, City of Copenhagen Targeted in Data-Extortion Cyberattack

The world's most-visited deepfake website and another large competing site are stopping people in the UK from accessing them, days after the UK government announced a crackdown.

Two of the biggest deepfake pornography websites have now started blocking people trying to access them from the United Kingdom. The move comes days after the UK government announced plans for a new law that will make creating nonconsensual deepfakes a criminal offense.

Nonconsensual deepfake pornography websites and apps that “strip” clothes off of photos have been growing at an alarming rate—causing untold harm to the thousands of women they are used to target.

Clare McGlynn, a professor of law at Durham University, says the move is a “hugely significant moment” in the fight against deepfake abuse. “This ends the easy access and the normalization of deepfake sexual abuse material,” McGlynn tells WIRED.

Since deepfake technology first emerged in December 2017, it has consistently been used to create nonconsensual sexual images of women—swapping their faces into pornographic videos or allowing new “nude” images to be generated. As the technology has improved and become easier to access, hundreds of websites and apps have been created. Most recently, schoolchildren have been caught creating nudes of classmates.

The blocks on the deepfake websites in the UK were first spotted today, with two of the most prominent services displaying notices on their landing pages that they are no longer accessible to people visiting from the country. WIRED is not naming the two websites due to their enabling of abuse.

One of the websites with the restriction in place is the biggest deepfake pornography website existing today. Its homepage, when visiting from the UK, displays a message saying access is denied. “Due to laws or (upcoming) legislation in your country or state, we are unfortunately obligated to deny you access to this website,” the message says. It also shows the visitor’s IP address and country.

The other website, which also has an app, displays a similar message. “Access to the service in your country is blocked,” it says, before hinting there may be ways to get around the geographic restriction. The websites do not appear to have any restrictions in place when visiting from the United States, although may also be restricted in other countries.

It is not immediately clear why the sites have introduced the location blocks or whether they have done so in response to any legal orders or notices. Nor is it clear whether the blocks are temporary. Messages sent to the websites through email addresses and contact forms went unanswered. The creators of the websites have not posted any public messages on the websites or their social media channels about the blocks.

Ofcom, the UK’s communications regulator, has the power to persue action against harmful websites under the UK’s controversial sweeping online safety laws that came into force last year. However, these powers are not yet fully operational, and Ofcom is still consulting on them.

It’s likely the restrictions may significantly limit the amount of people in the UK seeking out or trying to create deepfake sexual abuse content. Data from Similarweb, a digital intelligence company, shows the biggest of the two websites had 12 million global visitors last month, while the other website had 4 million visitors. In the UK, they had around 500,000 and 50,000 visitors, respectively.

This week, politicians in the UK announced plans for a law that criminalizes the creation of nonconsensual deepfakes. Under the law, which is yet to be passed, people could face an unlimited fine if they create deepfakes to “cause alarm, humiliation, or distress to the victim.” This builds on previous provisions that make it illegal for people in the UK to share sexualized deepfakes.

“While it’s unclear if these platforms have been ordered to block UK access or have done so proactively due to the recent criminalization, it shows legislation can make a meaningful difference in removing the legal ambiguity that many deepfake pornography platforms use as cover for the clear ethical harms they cause,” Henry Ajder, an AI and deepfake expert, tells WIRED. Ajder adds that search engines and hosting providers around the world should be doing more to limit the spread and creation of harmful deepfakes.

While the two websites can still be accessed in the UK using a VPN, the restrictions are a sign that constant pressure—from lawmakers, tech companies, and campaigners—can make deepfake porn harder to access and create. “Of course, people will be able to use VPN to access these websites and apps, but that introduces friction,” Durham University’s McGlynn says. “It introduces a message that there’s something wrong and harmful about this material such that you have to use a VPN to access it.”

“Hopefully,” McGlynn adds, “this can show other governments around the world that if we take steps, we could actually reduce the prevalence \[of\] and easy access to deepfake sexual abuse material.”

The Biggest Deepfake Porn Website Is Now Blocked in the UK

By Deeba Ahmed
Shadowboxing in Search Results: Tuta Mail De-ranked and Disappearing on Google!
This is a post from HackRead.com Read the original post: Tuta Mail (Tutanota) Accuses Google of Censoring Its Search Results

Is Google hiding Tuta Mail from search results? Here’s the controversy surrounding Tuta Mail’s search ranking and dig deeper into the potential violation of Europe’s DMA. Learn about algorithmic bias, the importance of search transparency, and how users can navigate a potentially unfair digital marketplace.

For many users seeking privacy-focused email solutions, the popular open-source encrypted email service Tuta Mail (previously Tutanota) is a great alternative to mainstream providers. However, the company recently raised concerns about its visibility in Google search results. 

****Tuta Mail Being De-ranked on Google?****

Hanover, Germany-based Tuta Mail, the world’s second-largest secure email service provider, isn’t appearing on Google for search terms like “encrypted email” or “secure email”. Moreover, a dramatic drop in search ranking for “Tutanota login” is observed, suggesting a potential violation of the European Digital Markets Act (DMA).

What happens when Tutanota login is typed in Google (Screenshot: Hackread.com)

According to Tuta Mail’s blog, its users in Germany cannot view Tuta’s website as the first result but only on their Android app on Google Play. It may have severe implications for Tuta’s business, despite being a Google-specific issue, because on other search engines, like Bing or DuckDuckGo, there’s no such issue. This lack of search visibility for relevant keywords can hinder Tuta’s ability to compete in the email service market and put them at a disadvantage. 

****Why Might Google Be De-ranking Tuta Mail?****

Tuta Mail’s lower ranking in Google search results could be due to various factors, including relevance, algorithmic bias, and technical issues. Google’s search algorithms prioritize user experience, and other email service providers may have higher relevance scores. Technical glitches or indexing problems can cause temporary website disappearance from search results, but this is highly unlikely for an established service like Tuta Mail. It is a complex issue and Google must address it to ensure transparency and user awareness. 

What’s more concerning is that it violates the DMA, which promotes fair competition for privacy-conscious companies. The DMA being a new regulation, is evolving its enforcement of search engine practices. If Tuta Mail has evidence of Google manipulating search results, they could file a complaint.

****Not the First Time for Tuta:****

Tuta Mail has been facing blockages from multiple sides. In 2022, Hackread.com reported Microsoft blocking Tutanota/Tuta Mail email addresses from registering for Microsoft Teams accounts, despite the service having over 2 million registered users.

Russia also blocked Tuta in certain parts of the country in February 2020 without notifying the team about the reason whereas the service has been blocked in Egypt since October 2019.

In a comment to Hackread.com, Matthias Pfau, co-founder of Tuta Mail, criticized Google’s monopoly over search engine results, specifically its impact on determining what to show and what not to show.

> _“This issue is limited to Google only. But due to Google’s search dominance in Europe and North America, the drop we see in search results directly affects our business: When potential users are not able to find our website on Google, it means we lose business. Google must stop this unfair limitation of showing our website in search results immediately. We have tried to contact Google directly, but since this did not work, we have to make the issue public.”_
> 
> Matthias Pfau, co-founder of Tuta Mail

1.  How Internet Censorship Affects You – Pros & Cons
2.  Google to Delete Inactive Gmail Accounts From Today
3.  Top 10 worst countries for Internet freedom & censorship
4.  Simple Yet Vital Tips to Send Documents Securely via Email
5.  Google Incognito Mode: New Disclaimer Reveals Data Tracking

Tuta Mail (Tutanota) Accuses Google of Censoring Its Search Results

The local phone and business communications company said that attackers accessed unspecified PII, after infiltrating its internal networks.

A blue whale breaching out of the oceanSource: Kerry Hargrove via Alamy Stock Photo

Texas-based Frontier Communications, which provides local residential and business telecom services in 25 states, has shut down its operations in the wake of a cyberattack that resulted in the theft of personally identifiable information (PII).

The breach occurred four days ago on April 14, when it detected a breach by an unauthorized third party who had gained access to "portions of its information technology environment," according to an incident filing with the US Securities & Exchange Commission (SEC).

As part of its containment efforts, Frontier took "certain of the company's systems \[offline, which\] resulted in an operational disruption that could be considered material." It reported that while its core IT environment is up and running, normal business operations have yet to resume; and as of this writing, the telco's website was still offline.

Frontier didn't disclose what PII the cyberattacker accessed or who's affected, nor the suspected nature of the adversary. Telecom companies are a popular target for both financially motivated attackers as well as advanced persistent threats (APT), given the rich data repositories they hold. For instance, the Sandman APT was behind a prolific string of attacks last fall bent on stealing call-data records, mobile subscriber identity data, and metadata from carrier networks.

"The company continues to investigate the incident, has engaged cybersecurity experts, and has notified law enforcement authorities," according to the SEC filing. "The company does not believe the incident is reasonably likely to materially impact the company's financial condition or results of operations."

**About the Author(s)**

Cyberattack Takes Frontier Communications Offline

Attackers are indiscriminately targeting VPNs from Cisco and several other vendors in what may be a reconnaissance effort, the vendor says.

Source: Wright Studio via Shutterstock

Cisco Talos this week warned of a massive increase in brute-force attacks targeting VPN services, SSH services, and Web application authentication interfaces.

In its advisory, the company described the attacks as involving the use of generic and valid usernames to try and gain initial access to victim environments. The targets of these attacks appear to be random and indiscriminate and not restricted to any industry sector or geography, Cisco said.

The company identified the attacks as impacting organizations using Cisco Secure Firewall VPN devices and technologies from several other vendors, including Checkpoint VPN, Fortinet VPN, SonicWall VPN, Mikrotik, and Draytek.

**Attack Volumes Might Increase**

"Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions," a Cisco Talos statement explained. The vendor noted the surge in attacks began around March 28 and warned of a likely increase in attack volumes in the coming days.

Cisco did not immediately respond to a Dark Reading inquiry regarding the sudden explosion in attack volumes and whether they're the work of a single threat actor or multiple threat actors. Its advisory identified the source IP addresses for the attack traffic as proxy services associated with Tor, Nexus Proxy, Space Proxies, and BigMama Proxy.

Cisco's advisory linked to indicators of compromise — including IP addresses and credentials associated with the attacks — while also noting the potential for these IP addresses to change over time.

The new wave of attacks is consistent with the surging interest among threat actors in the VPNs and other technologies that organizations have deployed in recent years to support remote access requirements for employees. Attackers — including nation-state actors — have ferociously targeted vulnerabilities in these products to try and break into enterprise networks, prompting multiple advisories from the likes of the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the National Security Agency (NSA), and others.

**VPN Vulnerabilities Explode in Number**

A study by Securin showed the number of vulnerabilities that researchers, threat actors, and vendors themselves have discovered in VPN products increased 875% between 2020 and 2024. They noted how 147 flaws across eight different vendors' products grew to nearly 1,800 flaws across 78 products. Securin also found that attackers weaponized 204 of the total disclosed vulnerabilities so far. Of this, advanced persistent threat (APT) groups such as Sandworm, APT32, APT33, and Fox Kitten had exploited 26 flaws, while ransomware groups like REvil and Sodinokibi had exploits for another 16.

Cisco's latest advisory appears to have stemmed from multiple reports the company received about password-spraying attacks targeting remote access VPN services involving Cisco's products and those from multiple other vendors. In a password-spraying attack, an adversary basically attempts to gain brute-force access to multiple accounts by trying default and common passwords across all of them.

**Reconnaissance Effort?**

"This activity appears to be related to reconnaissance efforts," Cisco said in a separate April 15 advisory that offered recommendations for organizations against password-spraying attacks. The advisory highlighted three symptoms of an attack that users of Cisco VPNs might observe: VPN connection failures, HostScan token failures, and an unusual number of authentication requests.

The company recommended that organizations enable logging on their devices, secure default remote access VPN profiles, and block connection attempts from malicious sources via access control lists and other mechanisms.

"What is important here is that this attack is not against a software or hardware vulnerability, which usually requires patches," Jason Soroko, senior vice president of product at Sectigo, said in an emailed statement. The attackers in this instance are attempting to take advantage of weak password management practices, he said, so the focus should be on implementing strong passwords or implementing passwordless mechanisms to protect access.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs

PRESS RELEASE

Auburn, Ala. – Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security was awarded a $10 million Department of Energy grant in partnership with Oak Ridge National Laboratory (ORNL) to create a pilot regional cybersecurity research and operations center to protect the electric power grid against cyberattacks. 

The total value of the project is $12.5 million, with the additional $2.5 million coming from Auburn University and other strategic partners.

The center, officially named the Southeast Region Cybersecurity Collaboration Center (SERC3), will bring together experts from the private sector, academia and government to share information and generate innovative real-world solutions to protect the nation’s power grid and other key sectors. It will include a mock utility command center to train participants in real-time cyber defense.  

“Auburn University is proud to be at the forefront of this important field as we work against one of the greatest threats the country and the business sector will face in the future,” said Steve Taylor, Auburn University’s senior vice president for research and economic development. “The center will conduct critical research and provide real operational solutions to protect all of us as we address these challenges. We are thankful to Oak Ridge National Laboratory for partnering with us and Rep. Mike Rogers for his support in securing funding for this critical program.”  

The center will run experiments with industry partners in a research lab environment to support integration of new and existing security software and hardware into operational environments. Research labs will be established at Auburn University, housed at the Samuel Ginn College of Engineering, and at the Oak Ridge National Laboratory in Oak Ridge, Tennessee.

“We are excited to work with Auburn on this important national mission,” said Oak Ridge National Laboratory Director Stephen Streiffer. “We’re combining our capabilities to partner with industry, develop new security technologies and transfer those technologies to industry, all while developing the workforce that will operate these enhanced systems.”

Workforce and skills development will be a core role of Auburn’s in this partnership.

“This project provides an exciting opportunity for our college and our students,” said Mario Eden, dean of the Samuel Ginn College of Engineering. “Our students will get hands-on experience in a real-world environment. We have a proven track record of innovation and this project perfectly aligns with our mission to provide the best student-centered engineering experience in America and expand our engineering knowledge through research.”

With an emphasis on critical infrastructure, the research will help utilities across the nation become more resilient to the increasing threat of cyberattacks. 

“We know that adversaries want the ability to disrupt our energy infrastructure, which could be devastating for our communities,” said Moe Khaleel, associate laboratory director for National Security Sciences at ORNL. “SERC3 will focus on establishing regional partnerships and developing science-based solutions to mitigate these threats – and keep everyone’s lights on.”

Puesh M. Kumar, director of the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER), praised the collaboration between organizations.

“I applaud Auburn University and Oak Ridge National Laboratory’s collaborative effort to advance grid cybersecurity,” Kumar said. “Everyone must come together – industry, the national laboratories, academia, as well as State and Federal governments – if we are to succeed against the growing cyber threats facing the U.S. energy sector from malicious actors and nation-states like the People’s Republic of China. This partnership is a critical example of that.”

Frank Cilluffo, director of the McCrary Institute, said the project is at the core of what the institute does. 

“A secure and resilient grid is a national and regional imperative,” Cilluffo said. “Spearheaded by James Goosby at McCrary and Tricia Schulz at Oak Ridge, we will create new research to rapidly identify, share and mitigate cybersecurity risks while we train the future workforce we need to keep us safe.”

Web source: https://www.eng.auburn.edu/news/2024/04/mccrary-serc3.html

Auburn University is a nationally ranked land grant institution recognized for its commitment to world-class scholarship, interdisciplinary research with an elite, top-tier Carnegie R1 classification, life-changing outreach with Carnegie’s Community Engagement designation and an undergraduate education experience second to none. Auburn is home to more than 30,000 students, and its faculty and research partners collaborate to develop and deliver meaningful scholarship, science and technology-based advancements that meet pressing regional, national and global needs. Auburn’s commitment to active student engagement, professional success and public/private partnership drives a growing reputation for outreach and extension that delivers broad economic, health and societal impact.

Auburn's McCrary Institute and Oak Ridge National Laboratory to Partner on Regional Cybersecurity Center

Existing AI technology can allow hackers to automate exploits for public vulnerabilities in minutes flat. Very soon, diligent patching will no longer be optional.

Source: Rokas Tenys via Shutterstock

AI agents equipped with GPT-4 can exploit most public vulnerabilities affecting real-world systems today, simply by reading about them online.

New findings out of the University of Illinois Urbana-Champaign (UIUC) threaten to radically enliven what's been a somewhat slow 18 months in artificial intelligence (AI)-enabled cyber threats. Threat actors have thus far used large language models (LLMs) to produce phishing emails, along with some basic malware, and to aid in the more ancillary aspects of their campaigns. Now, though, with only GPT-4 and an open source framework to package it, they can automate the exploitation of vulnerabilities as soon as they hit the presses.

"I'm not sure if our case studies will help inform how to stop threats," admits Daniel Kang, one of the researchers. "I do think that cyber threats will only increase, so organizations should strongly consider applying security best practices."

**GPT-4 vs. CVEs**

To gauge whether LLMs could exploit real-world systems, the team of four UIUC researchers first needed a test subject.

Their LLM agent consisted of four components: a prompt, a base LLM, a framework — in this case ReAct, as implemented in LangChain — and tools such as a terminal and code interpreter.

The agent was tested on 15 known vulnerabilities in open source software (OSS). Among them: bugs affecting websites, containers, and Python packages. Eight were given "high" or "critical" CVE severity scores. There were 11 that were disclosed past the date at which GPT-4 was trained, meaning this would be the first time the model was exposed to them.

With only their security advisories to go on, the AI agent was tasked with exploiting each bug in turn. The results of this experiment painted a stark picture.

Of the 10 models evaluated — including GPT-3.5, Meta's Llama 2 Chat, and more — nine could not hack even a single vulnerability.

GPT-4, however, successfully exploited 13, or 87% of the total.

It only failed twice for utterly mundane reasons. CVE-2024-25640, a 4.6 CVSS-rated issue in the Iris incident response platform, survived unscathed because of a quirk in the process of navigating Iris' app, which the model couldn't handle. Meanwhile, the researchers speculated that GPT-4 missed with CVE-2023-51653 — a 9.8 "critical" bug in the Hertzbeat monitoring tool because its description is written in Chinese.

As Kang explains, "GPT-4 outperforms a wide range of other models on many tasks. This includes standard benchmarks (MMLU, etc.). It also seems that GPT-4 is much better at planning. Unfortunately, since OpenAI hasn't released the training details, we aren't sure why."

**GPT-4 Good**

As threatening as malicious LLMs might be, Kang says, "At the moment, this doesn't unlock new capabilities an expert human couldn't do. As such, I think it's important for organizations to apply security best practices to avoid getting hacked, as these AI agents start to be used in more malicious ways."

If hackers start utilizing LLM agents to automatically exploit public vulnerabilities, companies will no longer be able to sit back and wait to patch new bugs (if ever they were). And they might have to start using the same LLM technologies as well as their adversaries will.

But even GPT-4 still has some ways to go before it's a perfect security assistant, warns Henrik Plate, security researcher for Endor Labs. In recent experiments, Plate tasked ChatGPT and Google's Vertex AI with identifying samples of OSS as malicious or benign, and assigning them risk scores. GPT-4 outperformed all other models when it came to explaining source code and providing assessments for legible code, but all models yielded a number of false positives and false negatives.

Obfuscation, for example, was a big sticking point. "It looked to the LLM very often as if \[the code\] was deliberately obfuscated to make a manual review hard. But often it was just reduced in size for legitimate purposes," Plate explains.

"Even though LLM-based assessment should not be used instead of manual reviews," Plate wrote in one of his reports, "they can certainly be used as one additional signal and input for manual reviews. In particular, they can be useful to automatically review larger numbers of malware signals produced by noisy detectors (which otherwise risk being ignored entirely in case of limited review capabilities)."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories

A major international law enforcement effort has disrupted the notorious LabHost phishing-as-a-service platform.

A major international law enforcement effort involving agencies from 19 countries has disrupted the notorious LabHost phishing-as-a-service platform.

Europol reports that the organization’s infrastructure has been compromised, its website shut down, and 37 suspects arrested, including four people in the UK linked to the running of the site, which also allegedly included the original developer of the service.

Europol’s announcement also hints that this isn’t the end of the story, and users of the platform should ready themselves for some uncomfortable encounters with law enforcement in the future. As Europol said in its release:

> A vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the malicious users of this phishing platform.

The UK’s Metropolitan Police (“The Met”), which spearheaded the operation, says it has already contacted the criminals who used the site:

> Shortly after the platform was disrupted, 800 users received a message telling them we know who they are and what they’ve been doing. We’ve shown them we know how much they’ve paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received. Many of these individuals will remain the focus of investigation over the coming weeks and months.

In a phishing attack, criminals use emails to trick users into entering details like passwords or credit card numbers into fake websites. The emails and websites typically mimic popular brands like UPS, Amazon, or Microsoft, and copy the format of emails sent by those companies, luring victims with things like fake security alerts.

Phishing-as-a-Service (PaaS) provides the tools and infrastructure criminals need to carry out phishing attacks on a subscription basis, so they don’t have to create and run it themselves. This lowers the barrier to entry for these kinds of crimes and puts sophisticated tools in the hands of people who wouldn’t otherwise have access to them.

LabHost was set up in 2021 and grew to become one of the largest PaaS vendors. Europol says that “with a monthly fee averaging $249, LabHost would offer a range of illicit services which were customizable and could be deployed with a few clicks.” Those services reportedly included a menu of over 170 fake websites for users to choose from, and a campaign management tool called “LabRat” that could capture two-factor (2FA) authentication codes.

The phishing platform is reported to have had 2,000 registered users and was used to create “more than 40,000 fraudulent sites.” The Met says that around 70,000 individual UK victims have been phished using the service, and that globally, it swallowed up 480,000 card numbers, 64,000 PIN numbers, and more than one million passwords.

Victims in the UK have been contacted by the Met to inform them that some of their data has been compromised. Ironically, thousands of victims being contacted in this way creates an opportunity for copycat phishing emails with Met branding. For that reason, the Met has been careful not to include any links in its communications and warns potential victims that:

> …if you receive any contact from the Met with links in, this will be fraudulent so please do not engage with this.

If you’ve been contacted by the Metropolitan Police about the LabHost breach you can find some useful guidance and support on its LabHost Disruption page.

Tag

#web