Dr. T's security brief
dtau...@gmail.com
U.S. Program to Identify Safe Smart Devices
Voice of America News
Bryan Lynn
July 19, 2023
The Biden administration has announced a program to identify smart devices that are more resilient against cyberattacks, to help the public decide which commercial devices are safest to use. The White House said the Federal Communications Commission (FCC)-administered program will assign the most protected devices a "U.S. Cyber Trust Mark." Analysts will use quality requirements created by the National Institute of Standards and Technology to rate the devices' safety levels. The requirements call for unique and strong passwords, data safeguards, software improvements, and built-in tools for detecting cyberattack attempts. The FCC's Jessica Rosenworcel said the program would encompass a broad spectrum of Internet of Things devices that administration officials warn have the potential to elevate cybersecurity threats.
Top Tech Firms Sign White House Pledge to Identify AI-Generated Images
The Washington Post
Cat Zakrzewski
July 21, 2023
On Friday, the White House announced that Google, Amazon, Microsoft, Meta, and Open AI, along with tech startups Anthropic and Inflection, had signed a voluntary pledge to have their artificial intelligence (AI) systems verified by independent security experts before their public release. The companies also pledged to share safety data with the government and researchers and to develop "watermarking" systems that would identify AI-generated images, videos, or text. The agreement, which a senior White House official said would strengthen industry standards, comes as the Biden administration plans an AI-focused executive order, Congress works to create bipartisan legislation to regulate AI, and government agencies look to leverage existing laws for AI regulation.
*May Require Paid Registration
A New Way to Look at Data Privacy
MIT News
Adam Zewe
July 14, 2023
A new metric developed by Massachusetts Institute of Technology (MIT) researchers allows a small amount of noise to be added to models to protect sensitive data while maintaining the model's accuracy. An accompanying framework to the Probably Approximately Correct (PAC) Privacy metric automatically identifies the minimal amount of noise to add without having to know the model's inner workings. PAC Privacy considers the difficulty for an adversary to reconstruct sensitive data after the addition of noise, and determines the optimal amount of noise based on entropy in the original data from the adversary's viewpoint. It runs the user's machine learning training algorithm numerous times on different subsamplings of data, comparing the variance across all outputs to calculate how much noise must be added.
Courseware Products Lack Sufficient Safeguards To Protect Students, Data Privacy
The Chronicle of Higher Education (7/20, Swaak) reports that millions of US learners “purchase courseware products like Connect, Pearson MyLab, and Cengage MindTap every year to gain access to integral parts of their college courses, including eBooks, homework assignments, exams, and study tools.” However, “as widespread as courseware has become, safeguards to protect student data privacy are riddled with cracks – a weakness that plagues many educational technologies used in colleges.” The data risks, “privacy advocates say, leave students vulnerable to having their data used and shared in ways they have no knowledge of, or control over.”
Survey: Business IT Security Teams Concerned They May Be Compromised Without Knowing
TechRadar 
(7/19, Fadilpasic) writes that a new report from cybersecurity experts Vectra AI “surveying more than 2,000 IT security analysts found that nearly all (97%) are worried they’ll miss important security events, while 71% admitted to possibly being compromised, but not knowing.” Two key reasons cited “are the threat landscape that keeps on growing, and the endpoint tech stack that often only makes things worse.” For 63% of the respondents, “their attack surface grew this year,” while for 70%, the same “happened for the number of security tools in use, while for 66%, the number of alerts rose ‘significantly.’”
At Least 30 Colleges Face Potential Data Exposure From MOVEit Hack
Bloomberg (7/20, Levine, Subscription Publication) reports, “The ongoing cyberattack exploiting MOVEit file-transfer software has taken a toll on U.S. colleges and universities,” as at least 30 institutions “have been notified that personal information of students and employees may have been exposed through vendors” that use MOVEit “or have a service provider that does, according to statements from the schools.” Impacted colleges and universities include Stony Brook University, Rutgers University, Loyola University Chicago, and others. The colleges and universities “are among dozens, perhaps hundreds, of companies and organizations that were impacted by a Russian-speaking gang that exploited a flaw in a popular file-transfer product to steal data.” The impact “on the higher education sector shows the potential ripple effects of software breaches,” and the “widening repercussions of the MOVEit attacks.”
MOVEit Cyberattack Signals Growing Security Threats Against Higher Ed Institutions
Inside Higher Ed (7/27, Coffey) reports “hacking attacks against higher education institutions are on the rise as other industries battered by cybersecurity threats tighten their defenses and many in education remain unprepared, experts warn.” In May, the ransomware group called Cl0p “took credit for a massive cyberattack against hundreds of organizations, including higher ed institutions,” claiming it stole data “by breaching MOVEit, a software product used for file transfers, and security experts estimate the information of millions of people may be affected.” Inside Higher Ed spoke with cybersecurity experts “on the latest MOVEit attack, what to expect in the future and how institutions can stay safe from hackers.” Among other findings, “while many institutions were directly hit due to their use of MOVEit, the attack became broader because third-party vendors – many with higher education ties – used the software.”
Daniel Tauritz
CPU Security Loophole: Analysis of Energy Consumption Allows Data Theft
Graz University of Technology (Austria)
Philipp Jarke
August 2, 2023
Researchers at Austria's Graz University of Technology (TU Graz) and Germany's Helmholtz Center for Information Security found all common central processing units (CPUs) possess a security loophole. The Collide+Power exploit allows hackers to analyze the CPU's energy consumption to read data from its memory. Attackers upload a data package on a segment of the processor, then malware overwrites the attacker's data with the targeted data, consuming power. By repeating this process thousands of times, attackers can exfiltrate targeted data from slightly modified power consumption occurring each time. The hackers can determine power consumption and the targeted data from computing delays caused by the overwrite on the victim's processor.
Discovery of Smartphone Vulnerability Reveals Hackers Could Track Your Location
Northeastern Global News
Ian Thomsen
July 27, 2023
Researchers led by Northeastern University's Evangelos Bitsikas discovered a flaw in text messaging that could allow attackers to track smartphone owners' whereabouts using a machine learning algorithm to mine data derived from the short messaging services (SMS) system. Said Bitsikas, "Just by knowing the phone number of the user victim, and having normal network access, you can locate that victim." Bitsikas' approach involves a hacker sending multiple text messages to the target's cellphone, triangulating their location with or without encrypted communications through the timing of their automated delivery notifications. His team's algorithm can detect the location "fingerprint" created by that timing. Bitsikas said he has found no evidence of the vulnerability's current exploitation.
Cipher System Protects Computers Against Spy Programs
Tohoku University (Japan)
August 1, 2023
A team of international researchers created an efficient cache randomization cipher to protect against cache side-channel attacks. Rei Ueno at Japan's Tohoku University worked with colleagues at utility Nippon Telegraph and Telephone and Germany's Ruhr University Bochum to develop a cipher founded on a comprehensive mathematical formulation and simulation of cache side-channel attacks. The researchers said the SCARF (Secure CAche Randomization Function) cipher can complete randomization with just half the latency of current cryptographic methods. Ueno said SCARF "is engineered to be compatible with various modern computer architectures, ensuring its widespread applicability and potential to bolster computer security significantly."
Android Malware Steals User Credentials Using Optical Character Recognition |
Blockchain Could Help Protect Ancient Treasures from Looting
CNN
Nadia Leigh-Hewitson
July 31, 2023
A blockchain tool to prevent the looting of ancient relics was developed by researchers at the U.A.E.'s University of Abu Dhabi and the U.K.'s University College London. Museums or collectors can use the Salsal Web platform to enter details about their collection that experts can evaluate to determine authenticity, as well as confirming their lawful or unlawful obtainment. Once confirmed, owners can convert collections into non-fungible tokens that function as certificates of authentication, permit secure transfer of ownership, and facilitate tracking. The resulting history is intended to deter potential thieves and encourage the return of looted treasures to their native countries.
National Cybersecurity Strategy Aims To Strengthen US Cyber Workforce Amid Vacant Job Challenges
The Washington Post (8/1) reports that the U.S. National Cyber Director released a strategy to bolster the cybersecurity workforce, addressing four pillars: enhancing cyber skills for all Americans, transforming education, building the national and federal workforce. The strategy aims to tackle the persistent issue of hundreds of thousands of vacant cyber jobs and emphasizes the importance of diversity and lifelong learning. Commitments from agencies, private sector, and nonprofits accompany the plan.
Generative AI Increases Capabilities Of Hackers, Cybersecurity Experts
CNBC (8/2, Caminiti) reports generative AI is increasing the capabilities of both hackers and cybersecurity professionals. While AI has made it possible to create more authentic looking phishing attacks and to let hackers “move faster and with greater scale,” the technology also lets companies automate cybersecurity defenses in order to respond to attacks faster. BitSight Co-Founder and CTO Stephen Boyer said, “AI makes the bad attacker a more proficient attacker, but it also makes the OK defender a really good defender.” Collin R. Walke, the head of cybersecurity and data privacy practice at the Hall Estill law firm, warned, “We still have a lot of people in AI companies around the world that are going to continue to abuse the system, that are going to continue to develop the technology without adequate legal or ethical rules in place.” He recommends CISOs work closely with company boards, CEOs, and chief risk officers to decide how and when AI is deployed.
First Lady, Education Secretary To Host Summit On Cybersecurity In Schools Next Week
Axios (8/3, Sabin) reports a group “of school superintendents, educators and education technology vendors will meet at the White House Monday to discuss the growing number of cyberattacks targeting schools, a White House official told Axios.” First Lady Jill Biden, Education Secretary Cardona “and Secretary of Homeland Security Alejandro Mayorkas will host the Cybersecurity Summit for K-12 Schools on Monday afternoon, the official told Axios.” Participants “will discuss the ways they can work together to secure schools’ online infrastructure, per the official.” Both government agencies “and private industry are expected to announce new ‘commitments’ at the summit, although the official did not say what those will entail while they’re being finalized.” Representatives “from the White House, Cybersecurity and Infrastructure Security Agency and Federal Communications Commission are also expected to attend.”
dtau...@gmail.com
Downfall Attacks on Intel CPUs Steal Encryption Keys, Data
BleepingComputer
Ionut Ilascu
August 8, 2023
Google's Daniel Moghimi exploited the so-called "Downfall" bug in Intel central processing units to steal passwords, encryption keys, and private data from computers shared by multiple users. The transient execution side-channel vulnerability affects multiple Intel microprocessor lines, allowing hackers to exfiltrate Software Guard eXtensions-encrypted information. Moghimi said Downfall attacks leverage the gather instruction that "leaks the content of the internal vector register file during speculative execution." He developed the Gather Data Sampling exploit to extract AES 128-bit and 256-bit cryptographic keys on a separate virtual machine from the controlled one, combining them to decrypt the information in less than 10 seconds. Moghimi disclosed the flaw to Intel and worked with the company on a microcode update to address it.
VR Headsets Are Vulnerable to Hackers
UC Riverside News
David Danelski
August 8, 2023
Computer scientists at the University of California, Riverside found hackers can translate the movements of virtual reality (VR) and augmented reality (AR) headset users into words using spyware and artificial intelligence. In one example, spyware used a headset user's motions to record their Facebook password as they air-typed it on a virtual keyboard. Spies also could potentially access a user's actions during virtual meetings involving confidential information by interpreting body movements. One exploit showed hackers retrieving a target's hand gestures, voice commands, and keystrokes on a virtual keyboard with over 90% accuracy. Researchers also developed a system called TyPose that uses machine learning to extract AR/VR users' head motions to deduce words or characters they are typing.
White House Launches AI-Based Contest to Secure Government Systems from Hacks
Reuters
Zeba Siddiqui
August 9, 2023
The White House announced the launch of a competition to encourage the use of artificial intelligence (AI) to pinpoint and correct vulnerabilities in U.S. government infrastructure. The Defense Advanced Research Projects Agency (DARPA) will administer the two-year contest, which offers about $20 million in prizes; leading AI technology vendors Google, Anthropic, Microsoft, and OpenAI will provide systems for the competition. Deputy national security adviser for cyber and emerging technology Anne Neuberger said the goal of the competition “is to catalyze a larger community of cyber defenders who use the participating AI models to race faster—using generative AI to bolster our cyber defenses."
Planting Ideas in a Computer's Head
ETH Zurich (Switzerland)
Oliver Morsch
August 8, 2023
Researchers at Switzerland's ETH Zurich formulated a strategy to invisibly plant "ideas" within a computer in order to steal data by exploiting a flaw in certain central processing units (CPUs). ETH's Daniël Trujillo said, "It looked as though we could make the CPUs manufactured by AMD believe that they had seen certain instructions before, whereas in reality that had never happened." Planting ideas in the CPU allowed the researchers to rig the look-up table the chip continuously generates from previous instructions, enabling them to leak data from anywhere in the computer's memory. ETH's Kaveh Razavi alerted AMD to the vulnerability in February to ensure the chipmaker had a patch ready before the researchers published their findings.
New Weapon in the War on Robocall Scams
NC State University News
Matt Shipman
August 8, 2023
An automated tool developed by North Carolina State University computer scientists aims to help deter robocall scams and understand their scope by analyzing their content. SnorCall can characterize robocall content without violating privacy concerns. The tool records, bundles, and transcribes a vast number of robocalls, then uses the Snorkel machine learning framework to analyze and characterize each call. In a study of 232,723 robocalls over 23 months, SnorCall identified 26,791 campaigns, as well as robocallers' callback numbers, which regulators and law enforcement can use to find out who opened the account to perpetrate the scam. The researchers also observed that robocalls use major societal events, like student loan forgiveness, to launch new scams.
Cyberattack on U.K.'s Electoral Registers Revealed
BBC News
Paul Seddon
August 8, 2023
The U.K.'s Electoral Commission disclosed a "complex cyberattack" in which "hostile actors" accessed copies of the electoral registers from August 2021, potentially impacting millions of voters. The elections regulator said the perpetrators also penetrated its emails and "control systems," although the attack was not uncovered until last October. The commission said it was retaining the registers the hackers accessed for research and to vet political donors. The information held at the time of the breach included the names and addresses of U.K. residents who registered to vote between 2014 and 2022, as well as the names of overseas voters. The commission said it secured the compromised systems after the attack's detection in October 2022.
Acoustic Attack Steals Data from Keystrokes with 95% Accuracy
BleepingComputer
Bill Toulas
August 5, 2023
Researchers in the U.K. have taught a deep learning model to steal data from recorded keyboard keystrokes with 95% accuracy. Attackers can use a nearby microphone to record the keystrokes used to train the prediction algorithm, or they can capture them through a Zoom call where a fraudulent participant correlates messages typed by the target with the sound recording. The researchers recorded the sounds of 36 different keys being depressed on a modern MacBook Pro to collect training data, then generated waveforms and spectrograms to visualize identifiable distinctions for each key. They trained the CoAtNet image classifier on the spectrograms to achieve the most accurate prediction results. The classifier's accuracy fell to 93% when using data compiled from Zoom, and to 91.7% with Skype-gathered data.
Google Update Makes It Easier for U.S. Users to Remove Some Unwanted Search Results
CNN
Catherine Thorbecke
August 4, 2023
New privacy updates rolled out by Google include a dashboard that will allow U.S. users to determine whether their contact information shows up in its search engine and request those results to be removed. Notifications also will be sent to users when new search results with their contact information show up. Further, Google will make it possible for users to request that personal, explicit images be removed from its search engine. The moves are essentially a step toward a U.S.-version of the E.U.'s legally mandated “right to be forgotten” laws, although the Google updates do not currently go beyond the scope of personal explicit images or contact information.
Unpatchable AMD Chip Flaw Unlocks Paid Tesla Feature Upgrades
Tom's Hardware
Brandon Hill
August 3, 2023
Security researchers at Germany's Technical University of Berlin have cracked modern Tesla vehicles' Media Control Unit (MCU) to access paid features through an unpatchable flaw in the MCU-controlling AMD processor. The researchers said they launched a voltage fault injection attack against the third-generation MCU-Z's Platform Security Processor, allowing the decryption of objects stored in the Trusted Platform Module. They explained, "Our gained root permissions enable arbitrary changes to Linux that survive reboots and update. They allow an attacker to decrypt the encrypted NVMe [Non-Volatile Memory Express] storage and access private user data such as the phonebook, calendar entries, etc." The researchers found hackers can access Tesla subsystems and even paywall-locked optional content via the exploit.
Strengthening Defenses Against Common Cyberattack
Pacific Northwest National Laboratory
Tom Rickey
August 3, 2023
Computer scientists at the U.S. Department of Energy's Pacific Northwest National Laboratory (PNNL) developed a technique that outperforms traditional methods for detecting denial-of-service (DOS) attacks. During a DOS attack, there is a state of low entropy at the target address but high entropy among the sources of the clicks going to the target. The technique involves monitoring static entropy levels and trends over time. Tthe researchers used the Tsallis entropy formula for some of the underlying mathematics, which is hundreds of times more sensitive in distinguishing between legitimate flash events and DOS attacks than the Shannon entropy formula used by most DOS detection algorithms. PNNL's technique correctly identified 99% of DOS attacks, while 10 standard algorithms identified an average of 52% of such attacks.
EU Late to the Quantum Party
IEEE Spectrum
Tammy Xu
August 6, 2023
The European Policy Center (EPC) think tank said the European Union (EU)'s quantum computing strategy lags behind those of other countries. With a quantum system that can crack modern cryptography due within the next 20 years, the EPC's Andrea G. Rodríguez said EU policymakers have little time to organize and deploy technical and logistical programs to become quantum-ready. The U.S. National Institute of Standards and Technology will issue post-quantum cryptography standards next year, while the EPC says only organizations that utilize cryptography in their own code would need to pinpoint where to swap out their old standards for new ones. Rodríguez said the arduousness of this task requires the EU to develop a post-quantum cryptography strategy immediately, noting the bloc's quantum key distribution efforts lack maturity.
Biden Administration Announces Efforts To Boost K-12 Cybersecurity
Politico Weekly Education (8/7) reports the Biden Administration on Monday unveiled “new attempts to protect schools” from cyberattacks. The ED will “lead a Government Coordinating Council that officials say will quarterback policy and communications between governments to strengthen school cyber defenses. The department issued new technical briefs for schools, including one co-authored with the Cybersecurity and Infrastructure Security Agency (CISA).” Major attacks recently impacted school districts in Minneapolis, Los Angeles, and Baltimore.
The Seventy Four (8/7, Keierleber) reports a White House event scheduled for Monday intended to have federal officials hear “from school district leaders who navigated attacks, including Los Angeles Unified School District Superintendent Alberto Carvalho, who led America’s second-largest school system through a hack last September.” However, the AP (8/7) reported that because of severe thunderstorms impacting the eastern US, the White House canceled the “back-to-school cybersecurity event” that was to feature First lady Jill Biden, Education Secretary Miguel Cardona, Homeland Security Secretary Alejandro Mayorkas, “and school administrators, educators and education technology providers from around the country.”
Education Week (8/7) reports the proposed council will coordinate with districts “to host training activities, recommend policies, and communicate best practices to ensure schools are prepared to respond to and recover from cybersecurity threats and attacks.” Education Secretary Miguel Cardona said in a statement , “Just as we expect everyone in a school system to plan and prepare for physical risks, we must now also ensure everyone helps plan and prepare for digital risks in our schools and classrooms. The Department of Education has listened to the field about the importance of K-12 cybersecurity, and today we are coming together to recognize this and indicate our next steps.”
K-12 Dive (8/7) reports the ED issued a “guidance document specifically for K-12 that education leaders can reference to help mitigate vulnerabilities, manage third-party vendors, create cybersecurity governance, provide basic cybersecurity training and conduct other activities.” Additionally, the FBI and National Guard Bureau released updated guidance “on how school systems can report cybersecurity incidents and get support from federal cyber defense programs.”
Amazon Pledges $20M For White House School Cybersecurity Initiative. Bloomberg (8/7, Sink, Subscription Publication) reports Amazon Web Services is “offering $20 million in cybersecurity grants to K-12 schools as part of a new White House initiative designed to help shield the nation’s elementary, middle, and high schools from attacks targeting school records and operations.” Amazon will also provide “free security training and assistance for school districts experiencing cyber attacks, while Cloudflare Inc. will provide smaller school districts with internet browsing and email security software.”
Report: Nearly Half Of K-12 Institutions Hit By Ransomware Attacks Paid To Recover Their Stolen Data. K-12 Dive (8/7, Riddell) reports that “just under half (47%) of public and private lower education, or K-12, institutions worldwide hit by a ransomware attack ultimately paid to recover their stolen data, according to a report from U.K.-based cybersecurity firm Sophos.” The survey also found that “nearly three-quarters (73%) of polled lower education providers were able to use backups to restore data following such an attack.” Nearly a “quarter (23%) used multiple recovery methods to restore data, though recovery costs averaged about $2.18 million for those paying ransoms compared to $1.37 million for those restoring with backups.”
Higher Ed Sector Faces Excessive AI Sales Pitches Following ChatGPT’s Success
The Chronicle of Higher Education (8/7, Swaak) reports that since ChatGPT’s launch, “companies have been racing to capitalize on the AI hype – or, perhaps, to stay competitive as the tech industry continues to bet big on artificial intelligence.” As a result, vendors have “rapidly rolled out products geared for various college operations.” In a poll of “more than 700 LinkedIn members, 55 percent reported receiving multiple pitches a week, or having ‘lost count.’” One tool “promised to help college staff flag mental-health crises and ‘threats’; another, to assist in retaining a diverse student population” following the Supreme Court’s affirmative action ruling. Sources The Chronicle interviewed “said they are open to using AI in higher education,” but most “haven’t found the latest offerings particularly innovative, or necessary,” so for now, “at least, there’s a lot of clicking ‘delete.’”
Microsoft’s AI Red Team Has Been Addressing AI Weaknesses For Years
Wired (8/7, Hay Newman) reports Microsoft is revealing details about its AI red team, which “since 2018 has been tasked with figuring out how to attack AI platforms to reveal their weaknesses.” The team “concluded that AI security has important conceptual differences from traditional digital defense.” Team founder Ram Shankar Siva Kumar said that besides traditional security concerns, “We now have to recognize the responsible AI aspect, which is accountability” for machine learning flaws and failures, such as generating offensive or ungrounded content.
Hackers Will Compete To See Who Can Cause More Errors In AI Models At Def Con
The Washington Post (8/8) reports that at this week’s annual Def Con hacker convention in Las Vegas, the Generative Red Team Challenge will see top hackers from around the world compete to cause “AI models to err in various ways, with categories of challenges that include political misinformation, defamatory claims, and ‘algorithmic discrimination,’ or systemic bias.” The event “has drawn backing from the White House as part of its push to promote ‘responsible innovation’ in AI,” and will see leading “AI firms such as Google, OpenAI, Anthropic and Stability” volunteer “their latest chatbots and image generators to be put to the test.” The results of the competition “will be sealed for several months afterward, organizers said, to give the companies time to address the flaws exposed in the contest before they are revealed to the world.”
Over 600 Organizations, Nearly 40M Impacted By MOVEit Hack
Reuters (8/8, Satter, Siddiqui) reports the MOVEit breach has “compromised data at more than 600 organizations worldwide, according to cyber analyst tallies corroborated by Reuters.” More than two months “after the breach was first disclosed by Massachusetts-based Progress Software, the parade of victims has scarcely slowed.” As of Tuesday, cybersecurity firm Emsisoft “had totaled up 602 victims with 39.7 million people affected.” German IT analyst Bert Kondruss has “come up with similar figures, which Reuters corroborated by cross-checking them against public statements, corporate filings and cl0p’s posts.”
White House Hosts Inaugural School Cybersecurity Summit
The AP (8/8) reports the White House on Tuesday “held its first-ever cybersecurity ‘summit’ on the ransomware attacks plaguing U.S. schools, in which criminal hackers have dumped online sensitive student data, including medical records, psychiatric evaluations and even sexual assault reports.” During the summit, First Lady Jill Biden said, “If we want to safeguard our children’s futures we must protect their personal data. Every student deserves the opportunity to see a school counselor when they’re struggling and not worry that these conversations will be shared with the world.” At least 48 districts “have been hit by ransomware attacks this year – already three more than in all of 2022, according to the cybersecurity firm Emsisoft.” All but 10 “had data stolen, the firm reported.”
The Dallas Morning News (8/8) report, “At the White House, school administrators and members of Congress joined the first lady, Education Secretary Miguel Cardona and Homeland Security Secretary Alejandro Mayorkas to discuss cybersecurity as the new school year gets under way. Also on hand were officials from the FBI, National Security Council, and Cybersecurity and Infrastructure Security Agency, which is part of Mayorkas’ department.”
Spectrum News (8/7) reports Anne Neuberger, White House Deputy National Security Advisor for Cyber and Emerging Technologies, said in a Tuesday interview, “We’ve seen significant cyber attacks happening across the United States, disrupting school operations and perhaps even more significantly, stealing kids’ sensitive data, psychiatric records, grade records.” Neuberger told Spectrum News the Administration believes these acts are “financially driven.” She said, “We believe it’s criminals, in some cases criminals living outside the United States, who are seeking to force companies, in this case, schools to pay a ransom to recover or to protect their data. And frankly, each one that pays a ransom drives more and more cyber attacks.”
MOVEit Attacks Against Higher Ed Could Do More Harm Than Previously Thought
Higher Ed Dive (8/10, Kapko) reports the “mass exploit of a zero-day vulnerability in MOVEit has compromised more than 600 organizations and 40 million individuals to date, but the numbers mask a more disastrous outcome that’s still unfolding.” The victim pool represents “some of the most entrenched institutions” in sectors including healthcare, education, and finance. The subsequent “reach and potential exposure caused by the Clop ransomware group’s spree of attacks against these organizations is vast, and the number of downstream victims is not yet fully realized.” For example, Colorado State University “was hit six times, six different ways,” after the school’s third-party vendors “all informed the school of data breaches linked to the MOVEit attacks.”