Discover more from X’s Infosec Newsletter
InfoSec MASHUP - Week 45/2023
Data breaches in Ireland, Canada, Singapore, and more; WhatsApp and Signal doubling down on privacy; More backdoors and malware in open source software; LockBit leaks 50GB of Boeing data;
📚 This Week’s Recommended Reading
➝ Listen to best-sellers and new releases with Amazon Audible 🎧 📕
About the author
Darryl Carlton has spent 50 years working in IT. During this time, he has been an employee, a consultant, an entrepreneur, and an educator. He was the founder of a pioneering cloud business and held the first SaaS patent in the world. His experience spans multi-national corporations, governments, telecommunications, and retailers. Darryl has spent many decades teaching, consulting, and running projects.
Partners and affiliates
🔐 NordVPN’s Cyber Month campaign ⚡️ (from Oct 18 to Nov 29 )
Users purchasing the 2-year plan will save a whopping 68%!
Those buying the 2-year plan will also automatically get 3 additional months
Whether you're a seasoned tech professional, a coding enthusiast, or someone who simply loves to unravel digital mysteries, this t-shirt is a must-have addition to your wardrobe. Wear it and let the world know that when you're around, a bit of hacking magic might just be in progress.
➤ Breaches & Security Incidents
LockBit has allegedly started leaking data that the gang stole from Boeing in late October. The Cybernews research team noted there's around of 50 GB of supposedly Boeing's data. Bulk of the data appears to be various backups.
Organizations backup various data, mostly to be able resuming operations in the event of a data incident. File names of the allegedly leaked Boeing backups indicate they were made recently.
Earlier this week, attackers leaked the first batch of information which included a trove of sensitive company data, such as engine part suppliers and technical operators, as well as Boeing’s financial and marketing data.
Update November 10, 06:49 EST: The Industrial & Commercial Bank of China confirmed its services were disrupted by a ransomware attack that impacted its systems on Wednesday, November 8.
"On November 8, 2023, U.S. Eastern Time (November 9, 2023, Beijing Time), ICBC Financial Services (FS) experienced a ransomware attack that resulted in disruption to certain FS systems. Immediately upon discovering the incident, ICBC FS disconnected and isolated impacted systems to contain the incident," said the bank.
Japanese electronics manufacturer Japan Aviation Electronics Industry is recovering from a cyberattack for which the Alphv/BlackCat ransomware group has claimed responsibility.
The disruption, Japan Aviation Electronics noted, resulted in “some delays in sending and receiving emails”.
“No information leakage has been confirmed to date,” the manufacturing giant also noted.
Sumo Logic describes themselves as providing best-in-class cloud monitoring, log management, Cloud SIEM tools, and real-time insights for web and SaaS based apps. On November 7, they posted a notice on their website that they identify as “a possible security incident within our platform.”
According to their notice, Sumo Logic discovered evidence of a potential security incident on November 3.
“The activity identified used a compromised credential to access a Sumo Logic AWS account. We have not at this time discovered any impacts to our networks or systems, and customer data has been and remains encrypted.”
Energy supplier Electric Ireland has admitted that thousands of its customer accounts may have been compromised by a serious data breach.
The blunder could see customers’ financial information falling into the wrong hands.
It said an employee of a company working on its behalf may have inappropriately accessed 8,000 residential customer accounts.
Shared service provider TransForm has published an update on the cyberattack that recently impacted operations in multiple hospitals in Ontario, Canada, clarifying that it was a ransomware attack.
The organization confirms that the attackers managed to steal a database containing information on 5.6 million patient visits, corresponding to approximately 267,000 unique individuals.
Between October 19 and 20, Marina Bay Sands (MBS), the iconic integrated resort in Singapore experienced a data security breach where an unauthorized third party accessed the personal information of approximately 665,000 members of their non-casino rewards program, Sands LifeStyle.
The incident was identified on 20th of October.
🇺🇸 🗳️ A Cyber Breach Delays Poll Worker Training in Mississippi’s Largest County Before the Statewide Vote
Election officials in Mississippi’s most populous county had to scramble to complete required poll worker training after an early September breach involving county computers.
In Hinds County, such training is typically completed by early October before a November general election, according to Election Commissioner Shirley Varnado. Instead, office staff members worked right up to Thursday’s deadline to finish the training after Varnado said they were unable to access their computers for about three weeks.
➤ Cybercrime, Cyber Espionage, APT’s
In the wake of Hamas’s attack on Israel, researchers and cybersecurity firms observed an uptick in operations by hacktivists and state-sponsored hacking groups. But more than one month into the conflict, researchers are increasingly concluding that cyberoperations linked to the war have been mostly opportunistic in nature and frequently exaggerated in terms of their impact.
OpenAI has been addressing "periodic outages" due to DDoS attacks targeting its API and ChatGPT services within the last 24 hours.
While the company didn't immediately provide any details on the root cause of these incidents, OpenAI confirmed earlier today [Nov 9, 2023] that they're linked to ongoing distributed denial-of-service (DDoS) attacks.
"We are dealing with periodic outages due to an abnormal traffic pattern reflective of a DDoS attack. We are continuing work to mitigate this," OpenAI said in an update to an incident report published 11 hours ago.
Microsoft has recently removed from its store a fraudulent Ledger Live app for cryptocurrency management after multiple users lost at least $768,000 worth of cryptocurrency assets.
Published with the name Ledger Live Web3, the fake application appears to have been present in the Microsoft Store since October 19 but the cryptocurrency theft started being reported just a couple of days ago.
The security hole, tracked as CVE-2023-4911 and named Looney Tunables, has been found to impact major Linux distributions, including Debian, Gentoo, Red Hat, and Ubuntu. It allows a local attacker to execute arbitrary code with elevated privileges.
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Friday announced sanctions against Ekaterina Zhdanova, a Russian national allegedly involved in money laundering for ransomware affiliates and Russian elites.
Zhdanova, the US Treasury says, uses virtual currency exchange transfers, fraudulent accounts and purchases, and connections to international money launderers to aid her clients in moving funds.
Israeli higher education and tech sectors have been targeted as part of a series of destructive cyber attacks that commenced in January 2023 with an aim to deploy previously undocumented wiper malware.
The intrusions, which took place as recently as October, have been attributed to an Iranian nation-state hacking crew it tracks under the name Agonizing Serpens, which is also known as Agrius, BlackShadow and Pink Sandstorm (previously Americium).
"The attacks are characterized by attempts to steal sensitive data, such as personally identifiable information (PII) and intellectual property," Palo Alto Networks Unit 42 said in a new report shared with The Hacker News.
“Our IT team, with the support of outside experts, continues to work nonstop to restore our systems. We are pleased to report that our restoration efforts are progressing, and we will soon be able to begin to bring back some of our online services,” the organization said in a November 2 incident notification.
➤ Government, Politics, and Privacy
France and Britain are calling for greater global regulation of commercial surveillance software in the wake of recent Pegasus and Predator spyware scandals, the French foreign ministry said Friday.
In a joint initiative announced at the Peace Forum in the French capital, Paris and London warned against the unregulated development and use of surveillance technology.
While the use of such spyware might be legitimate, it only takes “a few lines of code” to allow it to be used with malicious intent, a French official said.
Meta-owned WhatsApp is officially rolling out a new privacy feature in its messaging service called "Protect IP Address in Calls" that masks users' IP addresses to other parties by relaying the calls through its servers.
"Calls are end-to-end encrypted, so even if a call is relayed through WhatsApp servers, WhatsApp cannot listen to your calls," the company said in a statement shared with The Hacker News.
[…] Thierry Breton, the European commissioner focused on digital issues, is working hard to push forward outstanding policy proposals.
One of these proposals is the EU Cybersecurity Certification Scheme for Cloud Services (EUCS), a shameless attempt by the European Commission to impose strict sovereignty requirements on the internet. It is a voluntary scheme, designed by Europe’s cybersecurity agency, ENISA, that European companies would use to demonstrate the robustness of their privacy and security measures.
➤ ICS & OT
Threat hunters at Mandiant are shining the spotlight on a pair of previously undocumented operational technology (OT) attacks last October by Russia’s “Sandworm” hackers that caused an unplanned power outage and coincided with mass missile strikes on critical infrastructure across Ukraine.
The attacks, which spanned several months and culminated in two disruptive events on October 10 and 12 last year, leveraged what Mandiant is describing as a “novel technique” for impacting industrial control systems (ICS) and OT.
Russian state hackers have evolved their methods for breaching industrial control systems by adopting living-off-the-land techniques that enable reaching the final stage of the attack quicker and with less resources.
Security researchers highlight that the change opens the door to attacks that are more difficult to detect and don’t necessarily require sophisticated malware for industrial control systems (ICS).
➤ Malware & Threats
Highly invasive malware targeting software developers is once again circulating in Trojanized code libraries, with the latest ones downloaded thousands of times in the last eight months, researchers said Wednesday.
Since January, eight separate developer tools have contained hidden payloads with various nefarious capabilities, security firm Checkmarx reported. The most recent one was released last month under the name "pyobfgood." Like the seven packages that preceded it, pyobfgood posed as a legitimate obfuscation tool that developers could use to deter reverse engineering and tampering with their code. Once executed, it installed a payload, giving the attacker almost complete control of the developer’s machine.
An updated version of an information stealer malware known as Jupyter has resurfaced with "simple yet impactful changes" that aim to stealthily establish a persistent foothold on compromised systems.
"The team has discovered new waves of Jupyter Infostealer attacks which leverage PowerShell command modifications and signatures of private keys in attempts to pass off the malware as a legitimately signed file," VMware Carbon Black researchers said in a report shared with The Hacker News.
The North Korea-linked nation-state group called BlueNoroff has been attributed to a previously undocumented macOS malware strain dubbed ObjCShellz.
"Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering," security researcher Ferdous Saljooki said in a report shared with The Hacker News.
BlueNoroff, also tracked under the names APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, is a subordinate element of the infamous Lazarus Group that specializes in financial crime, targeting banks and the crypto sector as a way to evade sanctions and generate illicit profits for the regime.
"Discord is evolving its approach to attachment CDN URLs in order to create a safer and more secure experience for users. In particular, this will help our safety team restrict access to flagged content, and generally reduce the amount of malware distributed using our CDN,"
➤ Tech & Tools
Signal is now testing public usernames that allow users to conceal the phone numbers linked to their accounts while communicating with others.
Bitwarden, the password manager company, has been busy this year getting ready for passkeys with its acquisition of passwordless.dev, creating new passkey development tools, and carrying out research into passkey adoption.
And the company is now rolling out passkey management tools to all its users, including those on its free plan.
Microsoft has introduced a new protective feature in the Authenticator app to block notifications that appear suspicious based on specific checks performed during the account login stage.
Since the roll-out of the new feature completed at the end of September, Microsoft has blocked over six million MFA notifications suspected to have been initiated by hackers.
Microsoft will soon start rolling out Conditional Access policies requiring multifactor authentication (MFA) from administrators when signing into Microsoft admin portals such as Microsoft Entra, Microsoft 365, Exchange, and Azure.
The company will also roll out policies that will require MFA for per-user MFA users for all cloud apps and one that will require MFA for high-risk sign-ins (the latter only available to Microsoft Entra ID Premium Plan 2 customers).
➤ Vulnerabilities, Research, and Threat Intelligence
Cybersecurity researchers have developed what's the first fully undetectable cloud-based cryptocurrency miner leveraging the Microsoft Azure Automation service without racking up any charges.
Cybersecurity company SafeBreach said it discovered three different methods to run the miner, including one that can be executed on a victim's environment without attracting any attention.
Google makes no mention of any of these vulnerabilities being exploited in malicious attacks.
Foreign threat actors can easily obtain sensitive information on US military members from data brokers, according to a new Duke University study whose results were published on Monday.
The Duke researchers contacted a dozen brokers in the US to purchase information on military service members and veterans. They found that the methods used by brokers to verify the identity of customers is inconsistent and noted that these practices are highly unregulated by the US government.
While some brokers refused to sell the data to an unverified organization, others seemed more interested in ensuring confidentiality around the purchasing of the data, not the confidentiality of the actual data.
QNAP has released security updates to address two critical security flaws impacting its operating system that could result in arbitrary code execution.
Tracked as CVE-2023-23368 (CVSS score: 9.8), the vulnerability is described as a command injection bug affecting QTS, QuTS hero, and QuTScloud.
"If exploited, the vulnerability could allow remote attackers to execute commands via a network," […]
Microsoft says four Exchange vulnerabilities disclosed by Trend Micro’s Zero Day Initiative (ZDI) last week have either already been patched or they don’t require immediate attention.
ZDI’s advisories have been published with a ‘zero-day’ status, but the vulnerabilities are not actual zero-days as there is no indication that they have been exploited in the wild and there is no public technical information or PoC code that would increase their chances of getting exploited in the near future.
Veeam released hotfixes today to address four vulnerabilities in the company's Veeam ONE IT infrastructure monitoring and analytics platform, two of them critical.
"A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database," an advisory published today says about the bug tracked as CVE-2023-38547.