Cyber
The Next Frontier
Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.
The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.
The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.
Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.
Cyber
Engineering
Defense
& Forensics
Cyber Law
& Policy
Program News
DoD Cyber Scholarship Program (CySP)
The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.Cyber News
US and UK release guidelines for secure AI development
U.S. and British authorities released guidelines Sunday for how to securely develop and deploy AI systems, the latest in a string of initiatives by Washington and London to address the security risks posed by machine learning technologies.
Developed by a coalition of cybersecurity and intelligence agencies together with technology firms and research organizations, the voluntary guidelines provide a set of recommendations to organizations about how to develop and build AI systems with security in mind.
The high-level document provides advice across design, development, deployment and secure operation and maintenance of AI systems. By applying concepts from cybersecurity — such as threat modeling, supply chain security and incident response — the document aims to encourage the developers and users of AI to prioritize security concerns.
“We are at an inflection point in the development of artificial intelligence, which may well be the most consequential technology of our time. Cybersecurity is key to building AI systems that are safe, secure, and trustworthy,” Secretary of Homeland Security Alejandro Mayorkas said in a statement.
As AI systems are rapidly deployed across society, developers and policymakers are rushing to address safety and security concerns posed by the technology.
Last month, President Joe Biden signed an executive order directing the federal government to step up efforts to develop standards for addressing security concerns, particularly around red team models and watermarking AI-generated content. Earlier this month, the Cybersecurity and Infrastructure Security Agency released a roadmap for addressing the threat posed by AI to critical infrastructure. At a conference in London, a coalition of 28 states committed to subjecting leading AI models to intensive testing before release.
But experts caution that addressing the risks of AI continues to lag behind efforts to develop and deploy the cutting edge of the technology. Though thin on technical detail, Sunday’s standards aim to provide a set of principles that both AI users and developers can use to harden their systems.
CISA Director Jen Easterly called the guidelines “a key milestone in our collective commitment — by governments across the world — to ensure the development and deployment of artificial intelligence capabilities that are secure by design.”
CISA released the document together with the United Kingdom’s National Cyber Security Centre. The guidelines were authored by 21 security agencies and ministries spanning the G7 nations. A who’s who of AI firms — ranging from OpenAI to Anthropic to Microsoft — provided input, together with research organizations like RAND and Georgetown’s Center for Security and Emerging Technology.
The post US and UK release guidelines for secure AI development appeared first on CyberScoop.
Shadowy hacking group targeting Israel shows outsized capabilities
A hacking campaign displaying what researchers say is some of the most advanced publicly known tradecraft targeting Israel in recent years is showing signs of active development and evolution, a troubling development that has so far blended into the noise of near constant cyber operations targeting Israel.
There’s been no shortage of cyberattacks of varying severity targeting Israeli institutions, particularly in the wake of Hamas’ Oct. 7 attack, but the tradecraft and capabilities displayed by the so-far unattributed group is far more sophisticated, said Nicole Fishbein, a researcher with Intezer.
Dubbed “WildCard,” the group in question appears to be linked to a nearly year-long attack targeting the Israel Electric Corporation, which is Israel’s largest electrical supplier, between April 2016 and February 2017 that researchers at the time called “Electric Powder.”
In January 2022, Fishbein’s firm identified a piece of malware called “SysJoker” that impressed the researchers by its quality development, both in C++ and a multi-platform toolkit, which Fishbein explained is “highly unusual for threat actors in the Middle East scene, especially the kinds of actors we normally see attacking Israel.”
The group’s techniques, tactics and procedures are “unusually mature for the Israeli threat landscape,” she said.
In an analysis published Monday and shared exclusively with CyberScoop, Intezer revealed that over the course of 2022 and 2023 WildCard deployed new malware similar to SysJoker and developed a version in the Rust programming language, which experts say can aid in efficiency, cross-platform performance and avoiding detection.
“As we discovered their new operations, we realized that they’d pushed these development capabilities even further, adopting Rust as their new programming language and re-implementing previously reported functionalities,” Fishbein said.
Fishbein added that WildCard appears to be masking its components as legitimate web development packages and that the group may be delivering these components to Israeli developers using trojanized applications spread through social engineering campaigns.
Following Hamas’s Oct. 7 attack on Israel and amid the subsequent fighting, hacking groups have targeted with Israel with a variety of operations, but these have consisted mostly of distributed denial-of-service attacks, the posting of hacked data, and improvised claims of exaggerated access to water treatment facilities and other critical infrastructure from some Iranian-backed cyber groups, experts have said.
Nonetheless, senior Israeli officials have said they’re worried about cyber escalations as the conflict drags on, particularly from the Iranian-linked hacking groups.
Given its sophistication, WildCard appears to be linked to nation state, but it remains unattributed. According to Intezer’s analysis, the group has targeted Israel for at least 8 years, meaning that its operations are not directly linked to the current round of fighting though it continued targeting Israel after the attacks of Oct 7.
A plethora of hacking groups, some with ties to Iran, Hezbollah or Hamas, have been active in the region for years and have been tracked by government agencies and industry experts under names such as Arid Viper, Gaza Cyber Gang (Molerats), Plaid Rain, and more. Check Point, an Israeli cybersecurity firm, said it has also been tracking the updated versions of SysJoker and said it has been “utilized by a Hamas-affiliated APT to target Israel.”
Fishbein cautioned against concluding that WildCard is a Hamas- or Hezbollah-affiliated operation. “The development capabilities are much better than what we’ve seen with Hamas or Hezbollah affiliated threat actors so far,” Fishbein said.
Researchers have speculated that the Electric Powder attacks to which WildCard is linked were the work of Molerats — a seasoned and effective Palestinian-aligned hacking operation — but Fishbein sees WildCard as a cut above. “What we see now with the WildCard [advanced persistent threat] is a threat actor whose malware development capabilities far exceed those clusters,” she said
Juan Andrés Guerrero-Saade, Associate Vice President of SentinelLabs, SentinelOne’s threat research group, told CyberScoop that what’s known about WildCard suggests a distinct group with outsized capabilities.
“I don’t know of many threat actors doing multi platform C++ dev (and now Rust) in that region,” he said in an online chat. “If their connection with Electric Powder proves out then that’s huge,” he added, calling WildCard an “asymmetrical threat with a greater development capability and interest in critical infrastructure.”
During the Electric Powder campaign, which lasted from April 2016 to at least February 2017, attackers spread malware “via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites,” researchers with ClearkSky wrote in March 2017. The campaign targeted the Israel Electric Company, which at the time provided roughly 75% of the country’s electrical production capacity.
Guerrero-Saade said that on the scale of threats facing Israel, “this is definitely up there. We aren’t seeing them leak what they’re getting,” he said, and noted that the Electric Powder attack was “extremely worrying.”
Fishbein said WildCard is “definitely operating at a more advanced level than the usual threat actors that focus exclusively on Israel,” and that the group, in particular, needs more attention.
“WildCard has been insistent in focusing on Israel for nearly 8 years with intrusions aimed at strategic sectors, without a clear affiliation to a nation-state, and without announcing their successes like low-end hacktivists groups would,” she added. “Their professionalism and intent make them more concerning than the average threat to Israel.”
The post Shadowy hacking group targeting Israel shows outsized capabilities appeared first on CyberScoop.
Researchers want more detail on industrial control system alerts
At the beginning of July, Rockwell Automation released a security advisory about a vulnerability in one of its products. Working with the U.S. government, the company said it had become aware that a state-backed hacking unit had developed the ability to run malicious code on the communication modules of an industrial controller.
The company wouldn’t identify who had this ability to attack its products and an accompanying advisory from the Cybersecurity and Infrastructure Security Agency said there were no known instances of the vulnerability being exploited in the wild.
It’s rare that vulnerabilities affecting industrial control systems that are targeted by hackers working on behalf of nation states are discovered before they are exploited. By publicly revealing the vulnerability and urging customers to patch their system, Rockwell may have effectively burned the ability of a foreign intelligence agency to attack U.S. critical infrastructure systems.
But computer security researchers caution that advisories of this nature often lack key information, causing delays in addressing them. While alerts affecting nation states targeting industrial control systems may require a measure of secrecy, computer security researchers argue they are too often stymied in obtaining information they need to fix vulnerabilities.
Advisories such as Rockwell’s provide a rare window into how advanced hacking groups target industrial systems and prompted researchers at Forescout Technologies to look more closely at how Rockwell hoped to fix their systems. Aiming to write threat detection rules for their customers, the researchers found discrepancies in the detection rules and the patches released by the firm.
“We took the patched version and the unpatched version of the firmware and we looked at the code for what was actually patched and what was not,” said Daniel dos Santos, head of security research at ForeScout.
The researchers found bits of code that were changed in the patch that were not mentioned in the detection rules issued by the vendor. An email service had portions of the code patched but that fix was not addressed in the detection rules released by Rockwell. Another proprietary service called “Spy Object” was found in the mitigation rules but the patch did not touch that portion of code. And even if patches were applied, Forescout researchers concluded that an attacker could still move through an infected network, a phenomenon the company calls “deep lateral movement.”
The Rockwell alert points to the possibility that the vulnerability might be exploited to manipulate firmware on targeted systems to achieve persistence, a suggestion that Forescout’s researchers argue could indicate that the discoverer of the vulnerability also has reviewed a piece of malware that could be used to exploit the vulnerability.
“This suggests that whoever uncovered this capability with the unnamed advanced persistent threat (APT) may have also uncovered an as-of-yet undisclosed post-exploitation payload focusing on firmware manipulation and persistence,” Forescout’s report notes.
“I do understand that when you are working with the government there is a level of ‘secrecy’ that is required,” dos Santos said. “They say that they found something. Let’s believe them; I’m not saying they’re not right. But it’s like where are the details? How can we as a community share things that then can be analyzed by everybody?”
When U.S. cybersecurity officials last year revealed the existence of the malware known as “Pipedream”, described as a highly capable tool for attacking industrial control systems, researchers were once again left with scant technical details about the program.
More broadly, the lack of detailed information about vulnerabilities in industrial control systems is a common enough problem that it can be safe to assume that vendors are leaving information out in vulnerability disclosures, dos Santos argues.
Rockwell did not respond to requests for comment.
Asked about the lack of detail regarding the Rockwell vulnerability, a spokesperson for CISA pointed to its coordinated vulnerability disclosure process, which works with vendors to release information to the broader public about a particular vulnerability.
Rockwell’s ControlLogix controllers are typically used in manufacturing environments and include control, safety logic and communication services that allow components to talk to other systems in the network. The controllers are separate modules that can be attached to a chassis depending on the facility’s needs and unique configuration.
“This is similar to a laptop, where the CPU, hard disk and networking cards connect via the motherboard and the user can replace each of these ‘modules’ for another compatible one,” dos Santos explained in an email.
The vulnerability in the communication module could allow hackers to connect to the other modules on the chassis or the network like a logic or safety controller, which could lead to disabling safety constraints.
The Rockwell alert notes that the company is not aware of any exploitation of the vulnerability “and the intended victimization remains unclear,” however it’s likely that it was developed to target critical infrastructure sectors.
Ron Fabela, CTO at cybersecurity firm XONA Systems, said that for industrial control system vulnerabilities, “it’s no longer useful to just know what is affected, but asset owners and defenders need to know what to do about it.”
“Similarly, any time we read the latest threat research report on APT activity in ICS there often lacks a ‘so what’ or ‘what now’ analysis, leaving research companies with just awareness of the problem but little practical application outside of the event specifics,” Fabela said.
After releasing the July patch, Rockwell published an additional alert in September for the same communication modules. This time around, the patch changed code in the email service that was also patched in the previous release. However, Rockwell said that this new vulnerability did not have to do with the previous one that was discovered by state hackers.
“It’s just very confusing,” dos Santos said.
The post Researchers want more detail on industrial control system alerts appeared first on CyberScoop.
Ransomware groups rack up victims among corporate America
Earlier this month, the American defense giant Boeing joined one of corporate America’s fastest growing clubs: firms who have been breached by a new generation of increasingly brazen cybercriminals.
Last week, the hacking crew calling itself LockBit posted posted roughly 43 gigabytes of company data belonging to Boeing’s parts and distribution businesses, but that was just one of a string of breaches affecting major U.S. corporations — firms that in theory should have fairly mature defenses — carried out by hackers linked to the cybercriminal underground known as the Com, ALPHV, LockBit and Lapsus$.
Among their victims are Boeing, Clorox, Caesars Entertainment, Microsoft, MGM Resorts, Nvidia, Samsung, Okta and the Industrial and Commercial Bank of China (ICBC).
Claiming victim after victim in the American corporate landscape, these hacking groups are managing to breach well resourced corporations nearly at will, stealing data, extorting victims and shaming them along the way.
“It’s kind of like a lightning strike in the sense that if they want to go after you, they’ll probably have a fair bit of success, for most companies,” said Tom Uren, formerly of the Australian Signals Directorate and a current editor with Seriously Risky Business cybersecurity news. “It’s just whether they happen to have you in their sights.”
On Tuesday, the Cybersecurity and Infrastructure Security Agency, the FBI and Australia’s signals intelligence agency released an advisory drafted with Boeing’s input describing how LockBit was able to penetrate the defense contractor.
According to the advisory, LockBit affiliates exploited a Citrix vulnerability tracked as CVE-2023-4966 and “Citrix Bleed” that was was first exploited in the wild in August, according to Mandiant. That vulnerability has been widely exploited by multiple ransomware groups to target a major law firm, a major Australian shipping company and was used to breach ICBC, according to the researcher Kevin Beaumont.
The breach of ICBC resulted in disruptions of the U.S. Treasury market, a linchpin of the global financial system.
Citrix disclosed the vulnerability on Oct. 10 and issued patches shortly after, but the vulnerability continues to be exploited. CISA has notified nearly 300 organizations that are potentially vulnerable to the exploit, a senior CISA official said Tuesday, although there are likely additional vulnerable organizations.
According to data collected by GreyNoise, a company that tracks malicious activity online, there are nearly 360 active hosts potentially working to exploit the vulnerability as of Tuesday.
The failure to patch widespread vulnerabilities like these have created a lucrative cybercriminal landscape for groups like LockBit, which refers to the collective name for the ransomware variant, the group that develops and maintains it, and their affiliates. The group has carried out more than 1,400 attacks against victims in the U.S. and around the world since January 2020, a senior FBI official said Tuesday, making at least $100 million in ransom demands and collecting ransom payments in the tens of millions from victims.
In the absence of law enforcement actions against these criminal hackers, there is little reason to believe these attacks will let up any time soon. The FBI has taken “some actions to date specifically against LockBit and continue to pursue enforcement opportunities when and where we can take them,” the senior FBI official said.
Cybersecurity experts for years have advised companies to follow basic cybersecurity hygiene protocols, and the situation has improved, experts say. But the major successes of LockBit and others of late show that there’s still a long way to go with the basics — such as patching vulnerable software and systems.
“The controls that most organizations have in place to protect their data, such as [data loss prevention], seem to be failing with serious consequences,” said Allan Liska, an intelligence analyst with Recorded Future. “But, it is not just data within an organization’s network that is of concern. Ransomware groups are able to pull data from your cloud, your vendors’ clouds, your vendors’ vendors’ clouds and so on.”
Organizations need to better improve their monitoring and controlling the entire data supply chain, he said, because “the ransomware groups don’t care where they get your data from they just care that they have it and can use it to extort you.”
Even as companies have improved their defenses, a spate of recent high profile attacks have social engineering attacks that modern security systems are struggling to prevent. These attacks involve calls to things like IT help desks, where individuals who control access to a system or network are convinced over the phone to give up credentials.
A recent report from Coveware, a firm specializing in cyber extortion incident response, noted IT help desks are designed to solve problems for customers quickly and that this is creating an easy way in for attackers.
“In several of the cases we studied, it was clear that the IT support team’s incentives (speed to resolution) abetted the social engineering,” Coveware wrote. “This is not an easy problem to solve, but we commend the enterprises that have mitigated the risks. These fixes meant increased costs and a mild deprecation to the employee stakeholder experience, for the sake of security.”
Jon DiMaggio, the chief security strategist with Analyst1 who has written extensively on the internal workings of LockBit, said that while there are only a few groups with the “skill and talent and creative ability to do some of these more advanced attacks,” these crews, particularly those associated with the AlphV attacks, are becoming much better at social engineering.
Many major companies still have problems with the cybersecurity basics, DiMaggio said, let alone building help desks that are tough to manipulate. “It’s tough, but they have to change,” DiMaggio said. “Trying to focus on helping people and helping your clients can’t always be number one anymore.”
That might slow response times, he noted, but that’s “a lot better than having to lose ungodly amounts of money, having your reputation destroyed and everything else.”
The post Ransomware groups rack up victims among corporate America appeared first on CyberScoop.
Security trends public sector leaders are watching
Cyber threats against public sector organizations continue to evolve, and security strategies need to keep pace in an ongoing game of cat-and-mouse. According to industry and government security leaders, threat trends to pay attention to include artificial intelligence-enabled attacks and defensive measures, an increase in persistence in the network and risks associated with software supply chain and open-source technology.
These reflections were shared in a recent interview series, produced by Scoop News Group, for CyberScoop, and underwritten in part by Google Cloud and Mandiant.
Improving security resilience with AI
“AI is going to provide a tremendous amount of opportunities on the cybersecurity defender side,” said Stacy O’Mara, government strategy, policy and partnerships with Google Public Sector, “it’s about being as smart and safe and transparent as possible when you’re thinking about those entities that are developing AI capabilities and government entities who might be procuring them.”
Several leaders in the series echoed a similar view — that the degree to which the government will regulate artificial intelligence will decide the effectiveness of its adoption.
Secretary of Information Technology for the State of Maryland, Katie Savage, touched on how her state works to ensure it has appropriate guardrails to develop responsible, ethical and secure AI capabilities. She is leaning on the White House’s AI Bill of Rights for guidance.
“We also want to work together to think about a series of pilots for how [the state] might actually deploy AI in the wild and get after some of the larger problems, new constituent services and cybersecurity needs,” she stated.
“There are tremendous amounts of data that we’re looking at. Not just for security, but that enables the citizens themselves to be better protected or better informed,” added Jon Ford, senior practice leader with Mandiant. He spoke about AI being used by cities to leverage new capabilities that help to protect and serve the citizenry and touched on how generative AI can be used to extend access to information for those citizens who don’t speak English as a first language.
Rising to the challenge of new threats
Leaders discussed some of the biggest challenges the public sector faces in combating evolving cyber threats.
Stressing the criticality of zero trust, Savage shared that when states like Maryland share resources and data with executive agencies — such as the Department of Labor and the Department of Health — it is incumbent upon the states to ensure those endpoints are protected.
“We’re taking a really hard look right now at how our enterprise IT teams and our cybersecurity team can work together more seamlessly to better manage identity and access management, for example, and mobile device management,” she said of Maryland’s efforts to improve its security posture.
Strengthening zero-trust security must continue to evolve, echoed Jean-Paul Bergeaux, CTO, federal with GuidePoint Security. Government agencies, he explained, have to bridge complexity divides and silos and start to consolidate the number of security tools and technologies they are managing. He stressed the importance of a “holistic architecture” where tools and capabilities work together within a zero-trust framework.
Google Public Sector’s Head of Mandiant Government Solutions, Ron Bushar, added that moving to a zero-trust posture and complying with the various executive orders on security modernization are extensive and complicated efforts that will require reengineering entire parts of the infrastructure. The result will be a valuable payout from a risk, security and resiliency perspective. However, in the meantime, leaders also need to focus on a reality: they are still fighting against threats every day to protect their assets.
Several leaders also distinguished the challenges for federal versus state government agencies, with Ford stating that funding is a big driver for what can or can’t be accomplished. He shared a trend among state and local governments to centralize security operations center (SOC) operations that enable cities, localities and counties to roll up into a larger cybersecurity ecosystem.
Overall, each leader underlined the importance of using the resources and frameworks available to further develop their security posture.
O’Mara explained that the sophistication of threat actors is constantly moving, which requires a posture shift from defenders.
“I think we’re moving away from one-off cyberattacks and really focused on how to get after long-term persistent campaigns from nation-state actors, which could really have tremendous impacts on security [and] our economy,” she said.
Jeremy Corey, principal cybersecurity strategist for August Schell, echoed that sentiment, adding that the adversary is no longer focused on a “full frontal assault.” Rather, they are targeting weaknesses in government alliances and partnerships among industry partners and exploiting a growing reliance on open-source technologies.
This video series was produced by Scoop News Group, for CyberScoop, and sponsored in part by Google Cloud and Mandiant.
The post Security trends public sector leaders are watching appeared first on CyberScoop.