Cyber
The Next Frontier

Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.

View Full Curriculum

The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.

Learn More

 

The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.

Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.

 

Program News

DoD Cyber Scholarship Program (CySP)

The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.

Cyber News

Thursday, January 26, 2023 - 13:21
Cybercriminals scam two federal agencies via remote desktop tool, CISA warns

Cybercriminals duped federal employees into downloading remote monitoring and management software and then used it to execute scams to steal money from victims’ bank accounts, top cybersecurity officials said Wednesday.

In an alert warning agencies about the malicious use of remote management software, in this case ConnectWise Control and AnyDesk, officials said that while the specific activity “appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and [advanced persistent threat] actors.”

The joint alert from the Cybersecurity and Infrastructure Security Agency, National Security Agency and Multi-State Information Sharing and Analysis Center did not specify which agencies were affected, but noted that at least two were victims.

Additionally, the alert said help desk-themed phishing emails were sent since at least June 2022 to multiple federal civilian agencies. CISA detailed the two instances of suspected malicious activity discovered in October using the federal intrusion detection program known as EINSTEIN. In mid-June, a federal civilian agency received a phishing email and the victim called a phone number contained in the message and led them to a malicious domain. In mid-September, CISA identified traffic flowing between an agency network and a malicious domain.

An screenshot example of a help-desk themed phishing email sent to civilian federal agencies.

The campaign continued until at least early November, the alert said. The hackers impersonated help desk services such as Geek Squad Services, general tech support owned by Best Buy, as well as Norton, Amazon, McAfee and PayPal in order to dupe victims. Once the hackers had access to the victims’ machines, they could potentially sell any network access to other cyber criminals or APT groups, according to the alert. “This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software.”

The report warned that, generally, remote management software does not trigger antivirus or anti-malware defenses and that hackers can use legitimate RMM software in a portable executable which can “bypass administrative privilege requirements and software management control policies.” Additionally, RMM software can reduce the need for a malicious hacker to use custom malware and can act as a backdoor to keep on the victim’s network.

The post Cybercriminals scam two federal agencies via remote desktop tool, CISA warns appeared first on CyberScoop.

Thursday, January 26, 2023 - 09:02
Chinese influence operations may lack critical element: influence

One of China’s most prolific influence operations has turned out to be spammy, low-quality, and generally results in low engagement, Google’s Threat Analysis Group said after it disrupted more than 50,000 instances of activity from the so-called Dragonbridge network in 2020, according to a report released Thursday.

The report comes as national security officials and policymakers continue to raise concerns about Beijing weaponizing data, specifically via the Chinese-owned social media app TikTok. In this case, however, an apparently well-resourced Chinese influence operation hasn’t attracted much of an audience at all, the Google TAG researchers found. “Despite their scale and profuse content production, DRAGONBRIDGE achieved practically no organic engagement from real viewers,” TAG found.

Dragonbridge has previously targeted rare earth mining companies in the U.S., Australia, and Canada. In June 2022, cybersecurity firm Mandiant, which has since been bought by Google, revealed that Dragonbridge masqueraded as local Texans who were critical of an Australian rare earth mining company planning on expanding in the state. The operation also had limited impact, researchers said at the time, but did point to China’s interest in maintaining its rare earth market domination.

Also, during the U.S. midterms last year, Mandiant discovered Dragonbridge operations attempting to discredit the elections and to “sow division both between the U.S. and its allies and within the U.S. political system itself.” However, that operation also appeared to have little impact.

Google researchers found that most Dragonbridge’s YouTube channels had zero subscribers and more than 80% of those videos had less than 100 views. On Blogger, the story was no different, with nearly 95% of the posts receiving 10 or fewer views. However, some of the messaging from Dragonbridge is overtly political and promoting pro-China messaging such as Beijing’s response to COVID-19 in a positive light, levied criticism against pro-democracy protests while praising pro-Chinese government candidates.

Additionally, in 2022, DragonBridge’s content included calls for unification with Taiwan. Following House Speaker Nancy Pelosi’s historic visit to Taiwan in July, Dragonbridge shifted focus to criticize the speaker along with her finances and family. During Pelosi’s visit, a distributed denial-of-service attack shut down the website of Taiwan’s president for 20 minutes.

Dragonbridge also attempted to stroke claims that the U.S. was responsible for “striking tensions and meddling in the domestic affairs of other countries,” according to the TAG researchers. “US-focused narratives portrayed US society and democracy in a negative light, cycling through political and social narratives that evolved with the headlines,” their report said.

Google researchers said that Dragonbridge is willing to experiment and try smaller, high-quality content that replaces machine-generated voices with real human narrations. Additionally, some of Dragonbridge channels included a “news like” talk show, animated political cartoons, and other non-political content like beauty and cooking advice.

“As they evolve over time, [Dragonbridge] coordinated inauthentic activity may eventually attract the attention of real users. For this reason, TAG and Mandiant track [Dragonbridge] closely and Google has taken an aggressive approach to identifying and removing their content,” the report said.

The post Chinese influence operations may lack critical element: influence appeared first on CyberScoop.

Thursday, January 26, 2023 - 08:14
FBI, Europol seize Hive ransomware group infrastructure

Hive, one of the most prolific ransomware operations that U.S. officials say is responsible for at least 1,300 attacks that resulted in at least $100 million in ransom payments, said its site has been seized by law enforcement agencies in the U.S. and Europe.

A government official familiar with the matter confirmed to CyberScoop that the FBI carried out this operation overnight with partners.

The Hive ransomware gang is responsible for attacks against a wide range of businesses and critical infrastructure operations, including government facilities, critical manufacturing and especially healthcare and hospitals.

The FBI has worked with international partners before to arrest ransomware group members. In November the Justice Department worked with Canadian police to arrest a dual Russian and Canadian national for allegedly participating in LockBit ransomware attacks.

This story is still developing.

Elias Groll contributed reporting.

The post FBI, Europol seize Hive ransomware group infrastructure appeared first on CyberScoop.

Thursday, January 26, 2023 - 04:00
Pro-Iranian hacking group focused on Saudi Arabia, researchers say

In November, a website from a group that appeared to have links to the Lebanese militants Hezbollah appeared online, posting anti-Israeli rhetoric — no a surprise from one of Israel’s fiercest regional enemies.

The site, called Abraham’s Ax, showed an image of an arm draped in a green cloth — a key color for Hezbollah — with an outstretched hand holding an axe. A message at the bottom read, “All rights reserved for Hezbollah Ummah.”

But the site appears to be a ruse.

In a report published Thursday, researchers with Secureworks Counter Threat Unit Research Team say they can find no evidence that ties Abraham’s Ax to Hezbollah. Rather, it’s more likely the group is operated by the same entity behind Moses Staff, a hacktivist group that went after Israeli targets with hack-and-leak operations that researchers have previously linked to the Iranian government and Secureworks calls Cobalt Sapling.

Abraham’s Ax shares common iconography, videography and infrastructure with Moses Staff, but what sets it apart is that it seems focused on Saudia Arabia.

A video published by the group purports to play audio of intercepted phone calls of both senior Saudi and Israeli officials, and as Saudi Arabia and Israel grow closer, Secureworks sees Abraham’s Ax as the latest attempt by Iran to throw a wrench in the spanner of the emerging Saudi-Israeli alliance.

“This seems to be a tool that Iran is rolling out to put pressure on what is already a fairly fragile situation in terms of those ongoing talks,” said Rafe Pilling, principal researcher with Secureworks Counter Threat Unit. “Obviously it’s very much not in Iran’s interest for Israel and Saudi Arabia to get closer.”

Abraham’s Ax is perhaps among the latest in a string of state-backed hacking groups to emerge in the region. Some groups, such as Moses Staff, emerge to push a clear message, publish hacked materials, and remain active over a long period, while others seem to emerge as a means to publish stolen materials, and quickly disappear.

Iran and Saudi Arabia have an intense history of physical and cyber conflicts. In 2019, for instance, the U.S. and Saudi governments accused Tehran of backing a drone attack on Saudi oil infrastructure carried out by the Houthi rebels in Yemen. After that attack, the U.S. carried out a “secret cyber operation” against unnamed Iranian targets, Reuters reported at the time. Previously, experts believe Iranians used the Shamoon wiper malware in multiple attacks on Saudi targets dating back to 2012, and then again in 2016 and 2018. The 2012 attack was also claimed by a hacktivist persona, which in that case called itself the “Cutting Sword of Justice.”

Pro-Iranian front groups have been active for years and have played a key role in the ongoing cyber tit-for-tat between Iran and Israel. These groups include Moses Staff and another pro-Iranian group, Black Shadow. Another pro-Iranian hacking group, Homeland Justice, attacked Albanian government systems in a series of destructive digital assaults in July 2022, leading Albania to sever diplomatic ties with Iran and the U.S. to sanction the Iranian Ministry of Intelligence.

In November, Abraham’s Ax claimed to have hacked into Saudi Arabia’s Ministry of Interior and published a sample of hacked data. Under a highly produced video dramatizing the hack, the group posted what it called a “proof-of-concept” file which reportedly contained a series of files with titles including “Airport-King-abbdol-aziz-Jaddeh” and “DEVELOPMENT OF THE SECURITY FACILITIES FOR MOI.”

“Al Saud regime’s actions fighting a media and proxy war to create riots and disintegration in Islamic Republic of Iran, which are under the control of Global Zionism, is clear to all thoughtful and free people in the world,” a message accompanying the Interior Ministry breach read. It added that the Saudis were organizing and backing multiple terrorist groups in other places, as well. “These actions will definitely not go unanswered and they will receive a severe slap from Iran and the Axis of Resistance.”

A press representative in the Saudi embassy in Washington could not be reached for comment Wednesday.

Screenshot from a video posted by Abraham’s Ax claiming to have breached the Saudi Ministry of Interior.

The Secureworks analysis found a series of similarities between Abraham Ax and Moses Staff. The logos used by the two groups are quite similar, for instance. Moses Staff’s logo features an arm with a hand holding a staff, while Abraham’s Ax’s is a hand holding an axe.

Both groups’ leak sites offer multiple languages — Hebrew and English for Moses Staff; Hebrew, Farsi and English for Abraham’s Ax — and both use domains registered through EgenSajt, a Swedish web hosting firm. At early points in their lifecycles, the researchers note, both sites were hosted in the same subnet, nearly adjacent to each other. “This is highly unlikely to occur by coincidence and strongly indicates the same entity chose to host the two sites in near contiguous IP address space,” the researchers wrote.

The two groups’ videos are similar, as well, employing almost identical graphics and styles.

Screenshots from the two group’s videos showing similar styles (Secureworks

The researchers note that various tools and malware have been linked to Moses Staff, such as the PyDCrypt loader and the DCSrv cryptographic wiper, as well as the StrifeWater remote access trojan. No such links have emerged with respect to Abraham’s Ax, but perhaps network defenders in Saudi Arabia and elsewhere should examine their systems for traces of the known Moses Staff malware, Pilling said.

“Identifying the fact that they may be linked to Moses Staff and therefore the back-end intrusion operators may share the same kind of tools, those are the sort of things to look out for,” Pilling said.

The post Pro-Iranian hacking group focused on Saudi Arabia, researchers say appeared first on CyberScoop.

Wednesday, January 25, 2023 - 12:24
Data breach notices become more opaque, leaving consumers in the dark

Data breach disclosures that included specific details for consumers dropped dramatically in 2022, according to the most recent data from the Identity Theft Resource Center.

Of the 1,802 breaches the group tracked in 2022, 66% did not include victim and attack details such as root cause. It’s a dramatic decline from two years ago when 100% of reported breaches tracked by the center included details about attack vectors.

Data breaches in 2022 affected roughly 400 million individuals, according to the ITRC report. The trend toward less descriptive disclosures makes it harder for consumers to protect themselves and for policymakers and cyber defenders to respond, experts say.

“That’s hundreds of millions of people who are left in the dark about what’s happened to them, and more importantly, what they can actually do about it,” Eva Velasquez, president and chief executive order of the Identity Theft Resource Center, said at an event Wednesday co-hosted with Better Identity Coalition.

Graphic of data breach notification trends (courtesy of Identity Theft Resource Center.)

“If your card numbers or your bank account numbers were stolen, there are different steps that you should take than if it was just your social,” said James Ruotolo, senior manager in fraud risk mitigation at Grant Thornton. “There are certain things that consumers can and should do to protect themselves. None of that information is being communicated in the vast majority of the breach notices that I’ve seen.”

Companies are currently subject to a patchwork of state data breach laws, many of which don’t require victim details. The Federal Trade Commission has gone after companies for covering up or failing to disclose breaches, such as when it ordered CafePress last year to take on new security protocols in light of covering up multiple breaches.

But current enforcement measures might not be incentive enough for reporting.

“I don’t think that there’s much fear of the consequences. The FTC can’t bring the same kind of fines it did before. State [attorneys general] are overworked. Courts aren’t granting standing when you go to court as a private litigant,” said John Breyault, vice president of public policy at the National Consumers League. “So, what’s the downside of not putting more information out there that’s going to potentially harm your business?”

The report puts the number of data compromises in 2022 at 1,802, just 60 short of an all-time high set in 2021. Twitter had both the first and sixth largest breaches on the list with approximately 220 million victims of a suspected breach revealed in December and roughly 5.5 million victims in November tied to a previously reported breach of Twitter’s API in 2021. Twitter maintains that there’s no evidence of the breach that involved 220 million victims.

ITRC attributed the slight slowdown in breaches last year to Russia-based cybercriminals being distracted by the war in Ukraine, a theory several cybersecurity experts have also posed

The ITRC report also notes that cybercriminals are moving away from zero-day exploitations to going after weaknesses in APIs, a problem highlighted a recent breach of T-Mobile that effected up to 37 million consumers.

The post Data breach notices become more opaque, leaving consumers in the dark appeared first on CyberScoop.