Military cyber service proposal picks up steam
A group of bipartisan lawmakers on the House Armed Services Committee plan to push an amendment into the fiscal 2025 defense authorization bill calling on the Pentagon to study the establishment of a dedicated military cyber service. This will come in the markup stage of the bill, where all sorts of amendments get added. A similar amendment in a Senate bill was dropped late last year. This amendment would task the National Academy to study the issue. The 2023 National Defense Authorization Act mandated Cyber Command to look at “the prospect of a new force generation model,” but in the past has rejected the idea of creating a wholly new service for cyber defense. Even if this amendment passes, any report conclusions likely wouldn’t influence policy until 2027.
Threat actors abusing legitimate services in campaign
The Insikt Group released a report detailing how a Russian-speaking threat group abuses otherwise legitimate services in a new campaign dubbed GetCaught. This sees a malicious actor using fake GitHub accounts to host faked versions of known software, like 1Password and Pixelmator Pro. Links to these repositories get distributed via SEO poisoning and malvertising. The effort ties into a larger campaign the researchers began tracking last summer, designed to spread RedLine, Lumma, Raccoon, Rhadamanthys, and other malware. The campaign also uses multiple variants to target specific operating systems to increase their success rates.
Chatbots susceptible to jailbreaks
A new report from the UK AI Safety Institute found that five anonymous chatbots powered by generative AI models remain highly vulnerable to basic jailbreak techniques, soliciting harmful responses at least 90% when using successive attack patterns. The tests used the publically available benchmark HarmBench Standard Behaviors for the question sets. The report also found the models could universally handle high school level capture the flag-style challenges, but all struggled with complex situations, like cybersecurity challenges and executing a sequence of actions.
A mailing list for threat intelligence data
The Open Source Security Foundation announced a new mailing list called Siren, designed to share open-source threat intelligence. The idea for Siren came after tabletop exercises by OpenSSF found a gap in its ability to quickly and widely spread information on a newly discovered zero-day. OpenSSF also says Siren will encourage public discussion on vulnerabilities and focus on operational impact. Siren content will be publicly available while posting on the list will require registration.
And now a word from our sponsor, Tines
Iranian threat group linked to wiping attacks
Security researchers at Check Point attributed these recent attacks to a group called Void Manticore, suspected of affiliation with Iran’s Ministry of Intelligence and Security. The group began operating wiping cyberattacks against Albania in mid-2022, later seen targeting Israel after October 2023. Attack chains by the group use publically available tools or exploit known security flaws on internet-facing apps. From there the group deploys web shells before ultimately using custom wiper malware. Researchers at Microsoft believe Void Manticore works as a subsidiary of the Iranian-operated group APT34.
Banking trojan disguises itself as a Google Play update
Researchers at Cyble documented a new banking trojan called Antidot that attempts to pass itself off as a Play Store update. Antidot shows faked update pages in German, French, Spanish, Russian, Portuguese, Romanian, and English, indicating the areas it’s targeting. Once installed, Antidot uses accessibility functions to create an OS overlay and harvest information through keylogging. Researchers say Antidot stands out by its use of WebSocket to maintain communications with C2 servers, allowing for “real-time, bidirectional interaction for executing commands.”
Maybe smart appliances aren’t a great idea
Two cautionary tales. In the first, a pair of UC Santa Cruz students discovered unauthenticated APIs in internet-connected washing machines from CSC ServiceWorks used on campus, allowing them to add money to accounts or use the machines without payment. The two reported the vulnerabilities to CSC through email and phone calls back in January but received no response.
In another instance, Ars Technica reporter Kevin Purdy discovered that an undocumented API for the internet-connected control module on a Rinnai tankless water heater only needed a registered email address to change settings or view information on the device. The actual harm this would cause was limited as the water temp is hard capped and the connection cannot turn off the heater entirely. Rinnai denied the issue but Purdy found it eventually required an authentication token to access the API.
Foxit PDF reader shows the power of design
Check Point researchers detailed a design flaw in the PDF reader, which makes trusting documents and allowing execution of additional commands the defaults in security pop-ups. As a result, most users click through to open their documents. A report found multiple threat actors taking advantage of this design choice, to install a wide variety of remote access trojans, documenting it being used to exfiltrate device screenshots or deploy cryptominers. Adobe’s Acrobat Reader uses different defaults. To quote design executive Irene Au, “Good design is like a refrigerator—when it works, no one notices, but when it doesn’t, it sure stinks.”