The coinventor of “bcrypt” is reflecting on the ubiquitous function’s 25 years and channeling cybersecurity’s core themes into electronic dance music.

When data breaches went from being an occasional threat to a persistent fact of life during the early 2010s, one question would come up again and again as victim organizations, cybersecurity researchers, law enforcement, and regular people assessed the fallout from each incident: Which password hashing algorithm had the target used to protect its users’ passwords? 

If the answer was a faulty cryptographic function like SHA-1—not to mention the nightmare of passwords stored in plaintext with no encryption scrambling at all—the victim had more to worry about because it meant that it would be easier for whoever stole the data to crack the passwords, directly access users’ accounts, and try those passwords elsewhere to see if people had reused them. If the answer was the algorithm known as bcrypt, though, there was at least one less thing to panic about.

Bcrypt turns 25 this year, and Niels Provos, one of its coinventors, says that looking back, the algorithm has always had good energy, thanks to its open source availability and the technical characteristics that have fueled its longevity. Provos spoke to WIRED about a retrospective on the algorithm that he published this week in Usenix ;login:. Like so many digital workhorses, though, there are now more robust and secure alternatives to bcrypt, including the hashing algorithms known as scrypt and Argon2. Provos himself says that the quarter-century milestone is plenty for bcrypt and that he hopes it will lose popularity before celebrating another major birthday.

A version of bcrypt first shipped with the open source operating system OpenBSD 2.1 in June 1997. At the time, the United States still imposed stringent export limits on cryptography. But Provos, who grew up in Germany, worked on its development while he was still living and studying there.  

“One thing I found so surprising was how popular it became,” he says. “I think in part it’s probably because it was actually solving a problem that was real, but also because it was open source and not encumbered by any export restrictions. And then everybody ended up doing their own implementations in all these other languages. So these days, if you are faced with wanting to do password hashing, bcrypt is going to be available in every language that you could possibly operate in. But the other thing that I find interesting is that it’s even still relevant 25 years later. That is just crazy.”

Provos developed bcrypt with David Mazieres, a systems security professor at Stanford University who was studying at the Massachusetts Institute of Technology when he and Provos collaborated on bcrypt. The two met through the open source community and were working on OpenBSD.

Hashed passwords are put through an algorithm to be cryptographically transformed from something that’s readable into an unintelligible scramble. These algorithms are “one-way functions” that are easy to run but very difficult to decode or “crack,” even by the person who created the hash. In the case of login security, the idea is that you choose a password, the platform you’re using makes a hash of it, and then when you sign in to your account in the future, the system takes the password you input, hashes it, and then compares the result to the password hash on file for your account. If the hashes match, the login will be successful. This way, the service is only collecting hashes for comparison, not passwords themselves.   

The innovation of bcrypt was that it included a security parameter that could be tuned over time to require more and more computing power to crack bcrypt hashes. This way, as broadly available processing speed increased, bcrypt hashes could become more and more difficult to crack. 

“It’s one of those ideas that’s so obvious in retrospect,” Mazieres says. “Of course, it’s cool that bcrypt was a thing Niels and I did. But I think the important thing is, whatever password hashing algorithm we have, that there be some sort of security parameter to make it harder \[in a way\] that’s a function of computing resources.”

The next generation of hash functions requires more memory to attempt to crack hashed passwords, in addition to processing power.

“The problem was that computers keep getting faster, so a function that seems ‘slow’ today might be fast on tomorrow’s computer,” says Johns Hopkins cryptographer Matthew Green. “The idea behind bcrypt was to make this adjustable. So over time, you could crank up the difficulty level very easily. But then the problem became that people have made guessing even faster by taking advantage of specialized hardware that can compute many things in parallel. This undermines security for functions like bcrypt. So the more recent idea is to use functions that also require a lot of memory, as well as computation, on the theory that parallel attacks won’t be able to scale this resource as well.”

Password security is always lagging, though, and both Provos and Mazieres expressed disbelief and disappointment that the state of passwords broadly has not evolved in decades. Even new schemes like passkeys are only just beginning to emerge.

“Bcrypt should have been superseded already,” Provos says. “It’s surprising how much reliance we still have on passwords. If you had asked me 25 years ago, I would not have guessed that.”

Provos has turned to making cybersecurity- and authentication-themed electronic dance music under the DJ name Activ8te as a way to share his ideas about security with a broader audience and attempt to create cultural change in how people approach their personal security. Mazieres emphasizes, too, that the tech industry has done people a disservice by training them to authenticate in dangerous ways—clicking on links and plugging in passwords constantly and often indiscriminately.

Even if bcrypt’s moment is passing, its inventors say it’s still worth investing time and energy into efforts to improve digital authentication and security more broadly and to help people bolster their own digital defenses.

“There was a version of the world where I would just make music and do blacksmithing,” Provos says. “But the state of security still makes me so sad that I still feel like I have to contribute back somehow.”

Bcrypt, a Popular Password Hashing Algorithm, Starts Its Long Goodbye

By Owais Sultan
In light of a recent report exposing the active automation of scams with Telegram by phishers, it raises the question: Why not safeguard your business by automating fraud detection? 
This is a post from HackRead.com Read the original post: The Imperative of Automating Fraud Detection in Financial Institutions

In the financial services landscape, the threat of fraudulent activities is a persistent concern. Financial institutions, in their quest to mitigate the risk of dubious transactions, are increasingly turning to sophisticated artificial intelligence (AI) tools to automate their fraud detection systems.

In light of a recent report exposing the active automation of scams with Telegram by phishers, it raises the question: Why not safeguard your business by automating fraud detection? This article delves into the reasons why financial institutions are automating their fraud detection processes and the benefits they stand to gain.

**Harnessing AI for Fraud Detection**

AI-powered tools are revolutionizing the way financial and banking institutions manage risk and safeguard themselves and their customers from payment fraud, and consequently, financial loss. Fraud detection algorithms, transaction monitoring, and machine learning are employed to preempt identity theft or any form of digital banking fraud by scrutinizing suspicious activity in real time.

**The Rationale for Automating Fraud Detection**

*   **Productivity**: By automating the process, financial institutions can detect fraudulent activities as they happen. This reduces the need for time-consuming manual checks, thereby streamlining the process. Consequently, institutions can act more promptly when potential fraud is detected, reducing potential losses.
*   **Precision**: Systems for automated fraud detection use cutting-edge algorithms and machine learning methods to identify irregularities and patterns in transaction data. This greatly enhances the precision of fraud detection, providing a significant advantage over manual checks.
*   **Adaptability**: As financial institutions grow, the volume of transactions can overwhelm manual fraud detection processes. However, automated fraud detection systems can adapt to handle large transaction volumes without increasing the burden on human fraud analysts.
*   **Cost-efficiency**: Automating the fraud detection process can decrease the expenses associated with fraud prevention for financial institutions. It lessens the need for extra personnel to examine transactions, and the use of sophisticated analytics and machine learning can detect potential fraud more cost-effectively than traditional manual checks.
*   **Regulatory** **adherence**: Automated fraud detection systems can assist financial institutions in meeting regulatory standards by providing a uniform and auditable process for detecting fraud.

**Enhancing Customer Trust and Satisfaction**

One of the less discussed, yet significant, benefits of automating fraud detection is the positive impact it has on customer trust and satisfaction. In an era where digital transactions are the norm, customers expect their financial institutions to provide **secure and reliable services**. By implementing automated fraud detection systems, financial institutions can significantly reduce the occurrence of fraudulent transactions, thereby enhancing customer confidence in their services.

Moreover, these systems can also improve the customer experience by reducing the instances of false positives – legitimate transactions that are incorrectly flagged as fraudulent. This not only saves customers from the inconvenience of having their transactions declined but also fosters a sense of **trust** and **satisfaction** with the financial institution.

In essence, by adopting automated fraud detection, financial institutions are not only safeguarding their operations but also strengthening their relationship with their customers, which is crucial for their long-term success and growth.

**The Role of Human Oversight in Automated Fraud Detection**

While the automation of fraud detection processes brings numerous benefits, it’s crucial to remember the importance of human oversight in this system. Despite the sophistication of AI and machine learning algorithms, they are not infallible and can sometimes miss subtle signs of fraud that a trained human eye might catch. Conversely, these systems might also flag legitimate transactions as fraudulent, leading to unnecessary inconvenience for customers.

Human analysts play a vital role in reviewing the alerts generated by the automated system, verifying their accuracy, and making informed decisions based on their expertise and judgment. They are also responsible for continually updating and refining the fraud detection algorithms based on the latest fraud trends and patterns.

**The Future of Fraud Detection in Financial Institutions**

Looking ahead, the future of fraud detection in financial institutions is likely to be increasingly dominated by AI and machine learning technologies. These technologies are continually evolving, becoming more sophisticated and effective in **identifying and preventing fraudulent activities**.

As financial fraud becomes more complex and sophisticated, so too must the tools used to combat it. The integration of AI and machine learning into fraud detection systems will continue to be a critical component in the fight against financial fraud. This will not only ensure the **security of financial transactions** but also contribute to the overall trust and reliability of financial institutions in the eyes of their customers.

_Worry about cyberattacks and scams against your business? Check Nethone’s AI-powered fraud detection software for more information._

**Conclusion**

In conclusion, the automation of fraud detection processes is not just a trend but a necessity for financial institutions. The benefits of efficiency, accuracy, scalability, cost-effectiveness, and regulatory compliance make a compelling case for the adoption of automated systems.

By embracing AI-powered tools, financial institutions are better equipped to protect themselves and their customers from the ever-present threat of fraud, ensuring their financial stability and reputation remain intact.

**RELATED ARTICLES**

1.  Cloud Hacking – Why API Remains the Biggest Threat?
2.  Why do Businesses Need to Focus More on Cybersecurity
3.  Bot Attacks – Why is Your Firm Struggling to Deal with Them?
4.  How threat exposure management optimizes security posture?
5.  Cybersecurity Automation: How Can Businesses Benefit From It

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

The Imperative of Automating Fraud Detection in Financial Institutions

WordPress Beautiful Cookie Consent Banner versions 2.10.1 and below suffer from an unauthenticated persistent cross site scripting vulnerability.

    Description: Beautiful Cookie Consent Banner <= 2.10.1 - Unauthenticated Stored Cross-Site Scripting Affected Plugin:Beautiful Cookie Consent BannerPlugin Slug: beautiful-and-responsive-cookie-consentAffected Versions: <= 2.10.1CVE ID: Not AssignedCVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NResearcher/s: UnknownFully Patched Version: 2.10.2The Beautiful Cookie Consent Banner for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nsc_bar_content_href' parameter in versions up to, and including, 2.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A partial patch was made available in 2.10.1 and the issue was fully patched in 2.10.2.The AttacksAccording to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen. We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.Cookie consent attacks chart Pictured: A chart showing sites attacked and total attacks targeting this vulnerabilityWe believe that this is the work of a single actor, as every single attack contained a partial payload of onmouseenter=" and no further functioning JavaScript. It is likely that this set of attacks is being performed using a misconfigured exploit that expects a customized payload, and that the attacker has simply failed to provide one.Despite this fact, if your website is running a vulnerable version of the plugin and you are not currently using Wordfence or another Web Application Firewall, these attacks do have the potential to corrupt the configuration of the plugin which can break its intended functionality, so we still recommend updating to the latest version, which is 2.13.0 at the time of this writing, as soon as possible.Indicators of CompromiseRequestsexample request An example request showing the payload being usedPOST requests to /wp-admin/admin-post.php from unrecognized IP addresses may appear in your server logs, or in your Live Traffic if you have the Wordfence plugin installed.IP AddressesWe have included the top 20 attacking IP addresses, though there are many more:- 209.126.12.142- 101.34.223.139- 92.204.37.157- 66.37.4.138- 92.205.48.232- 212.237.233.32- 195.201.82.166- 67.205.58.212- 51.38.27.102- 173.236.213.148- 207.244.241.230- 74.208.177.185- 92.204.33.117- 134.119.0.186- 5.9.238.21- 92.205.64.149- 94.158.149.174- 173.236.215.161- 92.205.48.177- 190.54.62.76If your site was impacted by this or an earlier attack campaign, it may have corrupted the ​​nsc_bar_bannersettings_json option in your database. The plugin's developers have included functionality in patched versions to repair any changes made as a result of this exploit.ConclusionIn today’s article, we covered an uptick in attacks targeting a patched vulnerability in Beautiful Cookie Consent Banner.All Wordfence sites, including those running Wordfence Free, Wordfence Premium, Wordfence Care, and Wordfence Response, are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection.However, if you have friends or colleagues running this plugin, please forward this advisory to them - while the current wave of attacks does not contain a malicious payload, the attacker behind this is targeting a large list of sites and has significant resources available to them, and it would be simple for them to update their exploit configuration with a viable malicious payload.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

WordPress Beautiful Cookie Consent Banner 2.10.1 Cross Site Scripting

Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

A stealthy China-based group managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam without being detected, Microsoft and the "Five Eyes" nations said on Wednesday.
The tech giant's threat intelligence team is tracking the activity, which includes post-compromise credential access and network system discovery, under the name Volt Typhoon.
The

A stealthy China-based group managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam without being detected, Microsoft and the "Five Eyes" nations said on Wednesday.

The tech giant's threat intelligence team is tracking the activity, which includes post-compromise credential access and network system discovery, under the name **Volt Typhoon**.

The state-sponsored actor is geared towards espionage and information gathering, with the cluster active since June 2021 and obscuring its intrusion footprint by taking advantage of tools already installed or built into infected machines.

Some of the prominent sectors targeted include communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.

The company further assessed with moderate confidence that the campaign is "pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises."

A defining characteristic of the attacks is the "strong emphasis" on staying under the radar by exclusively relying on living-off-the-land (LotL) techniques to exfiltrate data from local web browser applications and leverage stolen credentials for backdoor access.

The main goal is to sidestep detection by harmonizing with regular Windows system and network activities, indicating that the threat actor is deliberately keeping a low profile to gain access to sensitive information.

"In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware," Microsoft said.

Another unusual tradecraft is the use of custom versions of open source tools to establish a command-and-control (C2) channel over proxy as well as other organizations' compromised servers in its C2 proxy network to hide the source of the attacks.

In one incident reported on by the New York Times, the adversarial collective breached telecommunications networks on the island of Guam, a sensitive U.S. military outpost in the Pacific Ocean, and installed a malicious web shell.

The initial entry vector involves exploiting internet-facing Fortinet FortiGuard devices by means of an unknown zero-day flaw, although Volt Typhoon has also been observed weaponizing flaws in Zoho ManageEngine servers. The access is then abused to steal credentials and break into other devices on the network.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The Windows makers also noted it directly notified targeted or compromised customers and provided them with the necessary information to secure their environments.

It, however, warned that it could be "particularly challenging" to mitigate such risks when threat actors make use of valid accounts and living-off-the-land binaries (LOLBins) to pull off their attacks.

Secureworks, which is monitoring the threat group under the name Bronze Silhouette, said it has "demonstrated careful consideration for operational security \[...\] and reliance on compromised infrastructure to prevent detection and attribution of its intrusion activity."

The development also comes as Reuters disclosed that Chinese hackers targeted Kenya's government in a far-reaching three-year-long series of attacks against key ministries and state institutions in an alleged attempt to obtain information about the "debt owed to Beijing by the East African nation."

The digital offensive is suspected to have been carried out by BackdoorDiplomacy (aka APT15, Playful Taurus, or Vixen Panda), which is known to target government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China's Stealthy Hackers Infiltrate U.S. and Guam Critical Infrastructure Undetected

The Iranian threat actor known as Agrius is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations.
Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections.
Microsoft has attributed the threat actor to Iran's Ministry of

Ransomware / Endpoint Security

The Iranian threat actor known as **Agrius** is leveraging a new ransomware strain called **Moneybird** in its attacks targeting Israeli organizations.

Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections.

Microsoft has attributed the threat actor to Iran's Ministry of Intelligence and Security (MOIS), which also operates MuddyWater. It's known to be active since at least December 2020.

In December 2022, the hacking crew was attributed to a set of attempted disruptive intrusions that were directed against diamond industries in South Africa, Israel, and Hong Kong.

These attacks involved the use of a .NET-based wiper-turned-ransomware called Apostle and its successor known as Fantasy. Unlike Apostle, Moneybird is programmed in C++.

"The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group's expanding capabilities and ongoing effort in developing new tools," Check Point researchers Marc Salinas Fernandez and Jiri Vinopal said.

The infection sequence begins with the exploitation of vulnerabilities within internet-exposed web servers, leading to the deployment of a web shell referred to as ASPXSpy.

In the subsequent steps, the web shell is used as a conduit to deliver publicly-known tools in order to perform reconnaissance of the victim environment, move laterally, harvest credentials, and exfiltrate data.

Also executed on the compromised host is the Moneybird ransomware, which is engineered to encrypt sensitive files in the "F:\\User Shares" folder and drop a ransom note urging the company to contact them within 24 hours or risk getting their stolen information leaked.

"The use of a new ransomware demonstrates the actor's additional efforts to enhance capabilities, as well as hardening attribution and detection efforts," the researchers said. "Despite these new 'covers,' the group continues to follow its usual behavior and utilize similar tools and techniques as before."

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Agrius is far from the only Iranian state-sponsored group to engage in cyber operations targeting Israel. A report from Microsoft last month uncovered MuddyWater's collaboration with another cluster dubbed Storm-1084 (aka DEV-1084) to deploy the DarkBit ransomware.

The findings also come as ClearSky disclosed that no fewer than eight websites associated with shipping, logistics, and financial services companies in Israel were compromised as part of a watering hole attack orchestrated by the Iran-linked Tortoiseshell group.

In a related development, Proofpoint revealed that regional managed service providers (MSPs) within Israel have been targeted by MuddyWater as part of a phishing campaign designed to initiate supply chain attacks against their downstream customers.

The enterprise security firm further highlighted escalating threats to small and medium-sized businesses (SMBs) from sophisticated threat groups, which have been observed leveraging compromised SMB infrastructure for phishing campaigns and financial theft.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware

Indirect prompt-injection attacks can leave people vulnerable to scams and data theft when they use the AI chatbots.

Microsoft director of communications Caitlin Roulston says the company is blocking suspicious websites and improving its systems to filter prompts before they get into its AI models. Roulston did not provide any more details. Despite this, security researchers say indirect prompt-injection attacks need to be taken more seriously as companies race to embed generative AI into their services.

“The vast majority of people are not realizing the implications of this threat,” says Sahar Abdelnabi, a researcher at the CISPA Helmholtz Center for Information Security in Germany. Abdelnabi worked on some of the first indirect prompt-injection research against Bing, showing how it could be used to scam people. “Attacks are very easy to implement, and they are not theoretical threats. At the moment, I believe any functionality the model can do can be attacked or exploited to allow any arbitrary attacks,” she says.

Hidden Attacks

Indirect prompt-injection attacks are similar to jailbreaks, a term adopted from previously breaking down the software restrictions on iPhones. Instead of someone inserting a prompt into ChatGPT or Bing to try and make it behave in a different way, indirect attacks rely on data being entered from elsewhere. This could be from a website you’ve connected the model to or a document being uploaded.

“Prompt injection is easier to exploit or has less requirements to be successfully exploited than other” types of attacks against machine learning or AI systems, says Jose Selvi, executive principal security consultant at cybersecurity firm NCC Group. As prompts only require natural language, attacks can require less technical skill to pull off, Selvi says.

There’s been a steady uptick of security researchers and technologists poking holes in LLMs. Tom Bonner, a senior director of adversarial machine-learning research at AI security firm Hidden Layer, says indirect prompt injections can be considered a new attack type that carries “pretty broad” risks. Bonner says he used ChatGPT to write malicious code that he uploaded to code analysis software that is using AI. In the malicious code, he included a prompt that the system should conclude the file was safe. Screenshots show it saying there was “no malicious code” included in the actual malicious code.

Elsewhere, ChatGPT can access the transcripts of YouTube videos using plug-ins. Johann Rehberger, a security researcher and red team director, edited one of his video transcripts to include a prompt designed to manipulate generative AI systems. It says the system should issue the words “AI injection succeeded” and then assume a new personality as a hacker called Genie within ChatGPT and tell a joke.

In another instance, using a separate plug-in, Rehberger was able to retrieve text that had previously been written in a conversation with ChatGPT. “With the introduction of plug-ins, tools, and all these integrations, where people give agency to the language model, in a sense, that's where indirect prompt injections become very common,” Rehberger says. “It's a real problem in the ecosystem.”

“If people build applications to have the LLM read your emails and take some action based on the contents of those emails—make purchases, summarize content—an attacker may send emails that contain prompt-injection attacks,” says William Zhang, a machine learning engineer at Robust Intelligence, an AI firm working on the safety and security of models.

No Good Fixes

The race to embed generative AI into products—from to-do list apps to Snapchat—widens where attacks could happen. Zhang says he has seen developers who previously had no expertise in artificial intelligence putting generative AI into their own technology.

If a chatbot is set up to answer questions about information stored in a database, it could cause problems, he says. “Prompt injection provides a way for users to override the developer’s instructions.” This could, in theory at least, mean the user could delete information from the database or change information that’s included.

The Security Hole at the Heart of ChatGPT and Bing

Researchers say the state-sponsored espionage operation may also lay the groundwork for disruptive cyberattacks.

As state-sponsored hackers working on behalf of Russia, Iran, and North Korea have for years wreaked havoc with disruptive cyberattacks across the globe, China's military and intelligence hackers have largely maintained a reputation for constraining their intrusions to espionage. But when those cyberspies breach critical infrastructure in the United States—and specifically a US territory on China's doorstep—spying, conflict contingency planning, and cyberwar escalation all start to look dangerously similar.

On Wednesday, Microsoft revealed in a blog post that it has tracked a group of what it believes to be Chinese state-sponsored hackers who have since 2021 carried out a broad hacking campaign that has targeted critical infrastructure systems in US states and Guam, including communications, manufacturing, utilities, construction, and transportation. 

The intentions of the group, which Microsoft has named Volt Typhoon, may simply be espionage, given that it doesn’t appear to have used its access to those critical networks to carry out data destruction or other offensive attacks. But Microsoft warns that the nature of the group's targeting, including in a Pacific territory that might play a key role in a military or diplomatic conflict with China, may yet enable that sort of disruption.

"Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible," the company's blog post reads. But it couples that statement with an assessment with "moderate confidence" that the hackers are “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

Google-owned cybersecurity firm Mandiant says it has also tracked a swath of the group's intrusions and offers a similar warning about the group's focus on critical infrastructure “There's not a clear connection to intellectual property or policy information that we expect from an espionage operation,” says John Hultquist, who heads threat intelligence at Mandiant. “That leads us to question whether they’re there _because_ the targets are critical. Our concern is that the focus on critical infrastructure is preparation for potential disruptive or destructive attack.”

Microsoft’s blog post offered technical details of the hackers’ intrusions that may help network defenders spot and evict them: The group, for instance, uses hacked routers, firewalls, and other network “edge” devices as proxies to launch its hacking—targeting devices  that include those sold by hardware makers ASUS, Cisco, D-Link, Netgear, and Zyxel. The group also often exploits the access provided from compromised accounts of legitimate users rather than its own malware to make its activity harder to detect by appearing to be benign.

Blending in with a target's regular network traffic in an attempt to evade detection is a hallmark of Volt Typhoon and other Chinese actors' approach in recent years, says Marc Burnard, a senior consultant of information security research at Secureworks. Like Microsoft and Mandiant, the Secureworks has been tracking the group and observing the campaigns. He added that the group has demonstrated a “relentless focus on adaption” to pursue its espionage.

US government agencies, including the National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA), and the Justice Department published a joint advisory about Volt Typhoon's activity today alongside Canadian, UK, and Australian intelligence. “Private sector partners have identified that this activity affects networks across US critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide,” the agencies wrote.

Although Chinese state-sponsored hackers have never launched a disruptive cyberattack against the United States—even over decades of data theft from US systems—the country’s hackers have periodically been caught inside US critical infrastructure systems. As early as 2009, US intelligence officials warned that Chinese cyberspies had penetrated the US power grid to “map” the country's infrastructure in preparation for a potential conflict. Two years ago, CISA and the FBI also issued an advisory that China had penetrated US oil and gas pipelines between 2011 and 2013. China’s Ministry of State Security hackers have gone much further in cyberattacks against the country’s Asian neighbors, actually crossing the line of carrying out data-destroying attacks disguised as ransomware, including against Taiwan’s state-owned oil firm CPC.

This latest set of intrusions seen by Microsoft and Mandiant suggests that China’s critical infrastructure hacking continues. But even if the Volt Typhoon hackers did seek to go beyond espionage and lay the groundwork for cyberattacks, the nature of that threat is far from clear. State-sponsored hackers are, after all, often assigned to gain access to an adversary’s critical infrastructure as a preparatory measure in case of a future conflict, since gaining the access  necessary for a disruptive attack usually requires months of advanced work.

That ambiguity in state-sponsored hackers’ motivations when they penetrate another country’s networks—and its potential for misinterpretation and escalation—is what Georgetown professor Ben Buchanan has called “the cybersecurity dilemma” in his book by the same name. “Genuinely attacking and building the option to attack later on,” Buchanan told WIRED in a 2019 interview as cyberwar tensions rose between the US and Russia, “are very hard to disentangle."

Drawing the lines between espionage, cyberattack preparation, and imminent cyberattack is an even harder exercise with China, says Mandiant’s Hultquist, given the limited instances of the country pulling the trigger on a digitally disruptive event—even when it does have the access to cause one, as it may well have had in Volt Typhoon’s intrusions. “China’s disruptive and destructive capabilities are extremely opaque,” he says. “Here we have a possible indication that this might be an actor with that mission.”

China Hacks US Critical Networks in Guam, Raising Cyberwar Fears

According to Microsoft and researchers, the state-sponsored threat actor could very well be setting up a contingency plan for disruptive attacks on the US in the wake of an armed conflict in the South China Sea.

China-sponsored threat actors have managed to establish persistent access within telecom networks and other critical infrastructure targets in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and broader Pacific.

That's according to a breaking investigation from Microsoft, which dubs the advanced persistent threat (APT) "Volt Typhoon." It's a known state-sponsored group that has been observed carrying out cyber espionage activity in the past, by researchers at Microsoft, Mandiant, and elsewhere.

While espionage appears to be the goal for now, there could very well be a more sinister purpose at play. "Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," according to the analysis.

The first signs of compromise emerged in telecom networks in Guam, according to a New York Times report ahead of the findings being released. The National Security Agency discovered those intrusions around the same time that the Chinese spy balloon was making headlines for entering US airspace, according to the report. It then enlisted Microsoft to further investigate, eventually uncovering a widespread web of compromises across multiple sectors, with a particular focus on air, communications, maritime, and land transportation targets.

**A Shadow Goal? Laying Groundwork for Disruption**

The discovery of the activity is playing out against the backdrop of the US' frosty relations with Beijing; the two superpowers have stalled in their diplomacy since the shooting down of the balloon, and has worsened amidst fears that Russia's invasion of Ukraine could spur China to do the same in Taiwan.

In the event of a military crisis, a destructive cyberattack on US critical infrastructure could disrupt communications and hamper the country's ability to come to Taiwan's aid, the Times report pointed out. Or, according to John Hultquist, chief analyst at Mandiant Intelligence - Google Cloud, a disruptive attack could be used as a proxy for kinetic action.

"These operations are aggressive and potentially dangerous, but they don't necessarily indicate attacks are looming," he said in an emailed statement. "A far more reliable indicator for \[a\] destructive and disruptive cyberattack is a deteriorating geopolitical situation. A destructive and disruptive cyberattack is not just a wartime scenario either. This capability may be used by states looking for alternatives to armed conflict."

Dubbing such preparations "contingency intrusions," he added that China is certainly not alone in conducting them — although notably, China-backed APTs are typically far more focused on cyber espionage than destruction.

"Over the last decade, Russia has targeted a variety of critical infrastructure sectors in operations that we do not believe were designed for immediate effect," Hultquist noted. "Chinese cyber threat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyberattacks. As a result, their capability is quite opaque."

**An Observed Focus on Stealth & Spying**

To achieve initial access, Volt Typhoon compromises Internet-facing Fortinet FortiGuard devices, a popular target for cyberattackers of all stripes (Microsoft is still examining how they're being breached in this case). Once inside the box, the APT uses the device's privileges to extract credentials from Active Directory account and authenticate to other devices on the network.

Once in, the state-sponsored actor uses the command line and living-off-the-land binaries "to find information on the system, discover additional devices on the network, and exfiltrate data," according to the analysis.

To cover its tracks, Volt Typhoon proxies its network traffic through compromised small office/home office (SOHO) routers and other edge devices from ASUS, Cisco, D-Link, NETGEAR, and Zyxel — that allows it to blend into normal network activity, Microsoft researchers noted.

The post also provides mitigation advice and indicators of compromise, and the NSA has published a tandem advisory on Volt Typhoon (PDF) with details on how to hunt for the threat.

'Volt Typhoon' China-Backed APT Infiltrates US Critical Infrastructure Orgs

The new software-led solution enables organizations to defend against cybersecurity threats in their operational technology (OT) environments.

**ATLANTA, May 23, 2023 –** Honeywell (**Nasdaq: HON**) today announced the release of its operational technology (OT) cybersecurity solution, Honeywell Forge Cybersecurity+| Cyber Insights, to assist customers in improving the availability, reliability and safety of their industrial control systems and operations.

Cyber Insights is designed to integrate information from multiple OT data sources in order to provide a customer with actionable insights into their facility’s cybersecurity vulnerabilities and threats, allowing the customer to manage their compliance strategy, thereby helping reduce their overall cybersecurity risks.

Companies with OT systems face challenges in obtaining the necessary information to reduce the likelihood and impact of cyberattacks and to stay compliant with standards and regulations that may be applicable to them. These challenges are compounded by the shortage of available cybersecurity skills in operational technology, with a cyber security workforce gap of more than 3.4 million people.\[1\]Despite attempts to implement various solutions, success is difficult to achieve due to the complexity of the tools, the overwhelming volume of security data generated, and the lack of solutions specifically designed for OT.

“Organizations should leverage technology to address worker shortages, while at the same time gaining clear visibility into their OT facilities’ cybersecurity posture to help them make faster decisions and reduce cyber risk,” said Michael Ruiz, vice president and general manager, Honeywell OT Cybersecurity Innovation. “Cyber Insights is a tool designed to provide customers with detection and insights so that cybersecurity leaders can better understand and monitor their then current security profile, while also being able to detect and mitigate the latest threats.”

Cyber Insights brings a tailored approach by providing a purpose-built cybersecurity solution for OT environments and users. It is designed to offer a site-level view of a facility’s cybersecurity posture and provide insights into security events, vulnerabilities, active threats and to manage compliance. Cyber Insights is designed to help organizations strengthen their cyber resilience and to respond faster to incidents through access to critical information at the right time.

Cyber Insights is pre-configured for OT use, with already available customization options designed to address certain needs specific to different industrial environments, while being vendor agnostic so that it can be deployed on Honeywell control systems as well as many other systems. It is also deployed, supported and maintained by Honeywell Cyber Care services during the applicable subscription license term, to help customers maintain continuous tuning and optimization as required for any system to run in peak form.

“Honeywell has successfully positioned itself as a ‘one-stop shop’ system integrator and solution provider across different spectrums of operational technology (OT) cybersecurity for over 20 years,” said Avimanyu Basu, senior lead analyst at ISG. “Being vendor-agnostic, Honeywell is well-equipped to work on almost any device and provide the necessary services for assessment and remediation.”

To learn more about Honeywell OT Cybersecurity solutions, visit us at www.becybersecure.com.

**About Honeywell**

Honeywell (www.honeywell.com) delivers industry-specific solutions that include aerospace products and services; control technologies for buildings and industry; and performance materials globally. Our technologies help aircraft, buildings, manufacturing plants, supply chains, and workers become more connected to make our world smarter, safer, and more sustainable.

Honeywell Forge is intelligent operations software that connects assets, people, and processes, enabling operational performance, sustainability, and quality improvement.

For more news and information on Honeywell, please visit www.honeywell.com/newsroom.

_This document may contain statements including future product direction and does not create any binding obligations on us to develop or sell any product, service or offering. Any descriptions of future product direction, intended updates or new or improved features or functions are intended for informational purposes only and are not binding commitments on us and the sale, development, release, locations of availability, or timing of any such products, updates, features or functions is at our sole discretion._

Tag

#intel