"PurpleFox Malware Infected Thousands of Systems in Ukraine"

The Computer Emergency Response Team in Ukraine (CERT-UA) recently warned about a PurpleFox malware campaign that has infected at least 2,000 computers in the country. The CERT-UA noted that the exact impact of this widespread infection and whether it has affected state organizations or regular people's computers hasn't been determined. PurpleFox (or "DirtyMoe") is a modular Windows botnet malware first spotted in 2018 that comes with a rootkit module allowing it to hide and persist between device reboots.

Submitted by Adam Ekwall on Thu, 02/01/2024 - 12:41

Towards Trustworthy Autonomous Cyber Defense for Dynamic Intrusion Response

Co-Pi:

Abstract

This project proposes transformative research approaches to provide a significant leap toward genuine autonomous cyber defense by enabling playbooks to be dynamically adaptive, predictive, adversary-aware, and trustworthy. Our proposed techniques address the above challenges and enable advancing the science and engineering of the state-of-the-art of intrusion response automation by ambitiously seeking to develop autonomous cyber defense systems that require no or minimal human involvement in the decision-making loop while maximizing effectiveness (i.e., system convergence to a good state) and minimizing the time-to-respond or mitigate. We propose to make cybersecurity autonomous by designing formal models and techniques that can automatically observe, reason, predict, adapt, and act to respond to attacks proactively, providing provable guarantees of safety and convergence.

Ehab Al-Shaer

Dr. Al-Shaer is a Distinguished Research Fellow at Software and Societal Systems Department in the School of Computer Science, and Faculty Member of CyLab at Carnegie Mellon University. Prof. Al-Shaer was also a Distinguished Career Professor at School of College of Engineering at Carnegie Mellon University. Before joining CMU, Dr. Al-Shaer was a Professor and the Founding Director of NSF Cybersecurity Analytics and Automation (CCAA) center in the University of North Carolina Charlotte from 20011-2020.

Dr. Al-Shaer's primary research areas are AI-enabled cybersecurity including automated adaptive response, domain-specific language models for cybersecurity, formal methods for configuration verification and synthesis, active cyber deception, cyber deterrence and network resilience. He published 10 books and more than 250 refereed publications in his area of expertise. Dr. Al-Shaer was designated by the Department of Defense (DoD) as a Subject Matter Expert (SME) on security analytics and automation in 2011. He was also awarded the IBM Faculty Award in 2012, and the UNC Charlotte Faculty Research Award in 2013.

Dr. Al-Shaer was the ARO Autonomous Cyber Deception Workshop in 2018, General Chair of ACM Computer and Communication in 2009 and 2010, NSF Workshop in Assurable and Usable Security Configuration in 2008. Dr. Al-Shaer was also the Program Committee Chair for many conferences and workshops including ACM/IEEE SafeConfig 2013 and 2015, IEEE Integrated Management (IM) 2007, IEEE POLICY 2008. Al-Shaer has two accepted patents and several submitted ones. He also has lead several technology transfer projects. He is also an advisory board member for leading companies in cybersecurity automation.

Institution: Carnegie Mellon University

"US Feds Shut Down China-Linked 'KV-Botnet' Targeting SOHO Routers"

The US government took action to neutralize a botnet of hundreds of US-based Small Office and Home Office (SOHO) routers hijacked by Volt Typhoon, a China-linked Advanced Persistent Threat (APT) actor. The Black Lotus Labs team at Lumen Technologies revealed the botnet's existence in mid-December 2023. According to the Department of Justice (DOJ), most of the routers in the KV-botnet were Cisco and NetGear routers that were vulnerable because they were no longer supported through their manufacturer's security patches or software updates.

Submitted by Gregory Rigby on Thu, 02/01/2024 - 12:11

Resilient Systems through Adaptive Architecture

Lead PI:

David Garlan

Abstract

This project proposes Adaptive Security Architecture (ASA), a new model-based methodology for developing systems that are resilient, in that they are capable of delivering critical services in the presence of a security compromise. In this approach, a system is designed with explicit mechanisms for (1) detecting when one or more components deviate from their assumed behavior, possibly due to an on-going attack, and (2) dynamically relaxing its service guarantees to be achievable under the security compromise.

The overall goal of this project is to develop an approach for designing and deploying systems that are resilient, in that they are capable of providing critical services even when some components have been compromised by an attack.

David Garlan

David Garlan is a Professor in the School of Computer Science at Carnegie Mellon University. His research interests include:

software architecture
self-adaptive systems
formal methods
cyber-physical system

Dr. Garlan is a member of the Institute for Software Research and Computer Science Department in the School of Computer Science.

He is a Professor of Computer Science in the School of Computer Science at Carnegie Mellon University. He received his Ph.D. from Carnegie Mellon in 1987 and worked as a software architect in industry between 1987 and 1990. His research interests include software architecture, self-adaptive systems, formal methods, and cyber-physical systems. He is recognized as one of the founders of the field of software architecture, and, in particular, formal representation and analysis of architectural designs. He is a co-author of two books on software architecture: "Software Architecture: Perspectives on an Emerging Discipline", and "Documenting Software Architecture: Views and Beyond." In 2005 he received a Stevens Award Citation for “fundamental contributions to the development and understanding of software architecture as a discipline in software engineering.” In 2011 he received the Outstanding Research award from ACM SIGSOFT for “significant and lasting software engineering research contributions through the development and promotion of software architecture.” In 2016 he received the Allen Newell Award for Research Excellence. In 2017 he received the IEEE TCSE Distinguished Education Award and also the Nancy Mead Award for Excellence in Software Engineering Education He is a Fellow of the IEEE and ACM.

Institution: Carnegie Mellon University

"FritzFrog Botnet Exploits Log4Shell, PwnKit Vulnerabilities"

The FritzFrog cryptocurrency mining botnet is growing as a recently analyzed variant exploits the Log4Shell and PwnKit vulnerabilities for lateral movement and privilege escalation. The FritzFrog botnet, discovered in August 2020, is a Peer-to-Peer (P2P) botnet run by Golang-based malware. It targets SSH servers by brute-forcing login credentials and has successfully compromised thousands of them.

Submitted by Gregory Rigby on Thu, 02/01/2024 - 11:47

Continuous Reasoning with Gradual Verification

Lead PI:

Jonathan Aldrich

Abstract

This project proposes a program of research aimed at helping developers to more quickly construct and repair software, specifications, and proofs within a continuous reasoning process. our project begins by prototyping a Continuous Assurance system. This system adapts our prior work on Gradual Verification to context of continuous integration, supporting incremental progress towards proofs through the integration of static and dynamic verification. Once an initial prototype of continuous assurance is complete, we will begin on a Proof Maintenance system, which aims to maintain proofs in a checkable state after evolutionary changes are made to one or more components or their specifications. The final technical component of our approach is a Proof repair system, which adapts specifications that have been falsified by finding closely related specifications that remain true after an evolutionary step.

Jonathan Aldrich

Jonathan Aldrich is an Associate Professor of the School of Computer Science. He does programming languages and software engineering research focused on developing better ways of expressing and enforcing software design within source code, typically through language design and type systems. Jonathan works at the intersection of programming languages and software engineering. His research explores how the way we express software affects our ability to engineer software at scale. A particular theme of much of his work is improving software quality and programmer productivity through better ways to express structural and behavioral aspects of software design within source code. Aldrich has contributed to object-oriented typestate verification, modular reasoning techniques for aspects and stateful programs, and new object-oriented language models. For his work specifying and verifying architecture, he received a 2006 NSF CAREER award and the 2007 Dahl-Nygaard Junior Prize. Currently, Aldrich excited to be working on the design of Wyvern, a new modularly extensible programming language.

Performance Period: 01/01/2024 - 03/31/2024

Institution: Carnegie Mellon University

"'Leaky Vessels' Cloud Bugs Allow Container Escapes Globally"

Researchers have discovered four vulnerabilities, collectively called "Leaky Vessels," in container engine components. Three of the vulnerabilities enable attackers to break out of containers and perform malicious actions on the host system. One of the vulnerabilities affects runC, the lightweight container runtime for Docker and other container environments. It is the most critical of the four vulnerabilities, scoring 8.6 on the CVSS scale.

Submitted by Gregory Rigby on Thu, 02/01/2024 - 11:28

HCSS 2024 Travel Reimbursement Worksheet

Read more about HCSS 2024 Travel Reimbursement Worksheet

"Pump-and-Dump Schemes Make Crypto Fraudsters $240m"

According to security researchers at Chainalysis, market manipulators may have made over $240m last year by artificially inflating the value of Ethereum tokens. Chainalysis investigated the 370,000 tokens launched on Ethereum between January and December 2023, 168,600 of which were available to trade on at least one decentralized exchange (DEX).

Submitted by Adam Ekwall on Thu, 02/01/2024 - 09:50

"New NCCoE Guide Helps Major Industries Observe Incoming Data While Using Latest Internet Security Protocol"

The National Institute of Standards and Technology (NIST) has released a practice guide covering methods aimed at helping major industries implement the Internet security protocol TLS 1.3, as well as conduct network monitoring and auditing safely, securely, and effectively. Companies in finance, healthcare, and other major industries must follow best practices for monitoring incoming data for cyberattacks. TLS 1.3 provides advanced protection but complicates the performance of required data audits.

Submitted by Gregory Rigby on Wed, 01/31/2024 - 16:01

Subscribe to