π What’s happening in cybersecurity today?
Okta, Credential Stuffing, Proxy Services, Cactus Ransomware Gang, Qlik Servers, Microsoft Office, Ukraine, Dev Popper, Fake Job Offers, RAT, Chrome 124, Web Connection Issues, Coffee County, Voter System London Drugs, FBCS, ICICI Bank, Credit Card Details, BenefitsCal, Welfare Accounts, Department of Homeland Security, AI Safety Board, UK Law, Cybersecurity Standards, IoT Devices, Meta, WhatsApp, India, Privacy, Vulnerabilities, Microsoft Products, ICSpector, Industrial Cybersecurity.
Listen to the full podcast
π¨Β Cyber Alerts
Okta, a leading provider of Identity and Access Management (IAM) services, has issued an alert about a significant increase in credential stuffing attacks targeting online services. These attacks utilize residential proxy services, stolen credential lists, and sophisticated scripting tools, escalating in frequency and scale over the past month. Alongside reinforcing user security measures like strong passwords and two-factor authentication, Okta’s findings align with a broader trend noted by Cisco’s advisory of increased global brute-force attacks since mid-March 2024.
Since November 2023, the Cactus ransomware gang has exploited multiple vulnerabilities in Qlik Sense servers, including CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365. Despite security advisories issued by Qlik, over 3,100 servers remain exposed and susceptible to these attacks. Cybersecurity teams can identify at-risk servers using tools like Nuclei templates or by querying specific server details through the “product-info.json” file, as ongoing monitoring reveals a concerning number of compromised systems globally.
Cybersecurity researchers have uncovered a targeted cyber operation against Ukraine that utilizes a seven-year-old vulnerability in Microsoft Office to deliver the Cobalt Strike malware via compromised systems. The attack, identified towards the end of 2023, begins with a PowerPoint slideshow file suspected to be distributed through Signal, a messaging app previously exploited for similar purposes. Although there’s no concrete evidence linking the distribution of the malware-laden file to Signal directly, the filename suggests a possible connection.
The “Dev Popper” campaign is deceitfully targeting software developers with fraudulent job interviews to distribute a Python remote access trojan (RAT). Attackers engage candidates under the guise of legitimate job offers, instructing them to download and execute code from a GitHub repository as part of the interview process. This multi-stage infection involves downloading a seemingly harmless NPM package that secretly contains malicious scripts designed to compromise the developerβs system and enable attackers to gain remote access and data exfiltration capabilities.
Following the release of Google Chrome 124, which includes the new quantum-resistant X25519Kyber768 encapsulation mechanism, some users are experiencing connectivity issues with websites, servers, and firewalls. This new version, which uses the Kyber768 algorithm for securing TLS 1.3 and QUIC connections, aims to protect against future quantum cryptanalysis threats. However, this upgrade has inadvertently caused disruptions for some web applications and security devices due to servers not recognizing or properly handling the expanded ClientHello messages needed for post-quantum cryptography.
π₯ Cyber Incidents
Georgia’s Coffee County recently faced a ransomware attack, prompting officials to disconnect from the state’s voter registration system, GARViS, as a precaution. The attack was identified by the federal Cybersecurity and Infrastructure Security Agency (CISA) on April 15, leading to ongoing investigations to determine the perpetrators. Although there was no direct breach of the GARViS system, the county took measures to ensure voter data security, temporarily using backup laptops and isolated networks for connectivity.
London Drugs, a prominent retail and pharmacy chain in Western Canada, temporarily closed all its stores due to a cybersecurity incident that occurred on Sunday. The company, headquartered in British Columbia, emphasized that the closure was a precautionary measure and reassured that there was no indication of customer or employee data being compromised. While the stores remain closed, the company’s pharmacists are available to assist with urgent needs, and London Drugs has engaged third-party experts to address and investigate the issue thoroughly.
Financial Business and Consumer Solutions (FBCS), a debt collection agency, recently disclosed a data breach impacting approximately 2 million individuals. Discovered on February 26, 2024, the breach involved unauthorized access to certain systems, with sensitive data such as Social Security numbers and account information potentially compromised. FBCS has initiated free credit monitoring for affected individuals and is working with third-party forensics specialists to further secure their systems and understand the full extent of the breach.
ICICI Bank, a prominent private bank in India, inadvertently exposed the sensitive data of thousands of new credit cards due to a glitch in its mobile banking app, ‘iMobile.’ The error resulted in customers accessing credit card details, such as card numbers, expiry dates, and CVVs, of other users. In response, the bank has blocked 17,000 affected cards and is reissuing new ones to ensure customer security, promising compensation for any potential financial loss.
Over 19,000 online accounts on BenefitsCal, a California state platform that handles welfare programs, were compromised due to reused passwords. The breach occurred between March 1, 2023, and February 13, 2024, with unauthorized access detected on February 9, 2024. In response, BenefitsCal deactivated affected accounts and introduced additional security measures, including 2FA and mandatory multi-factor authentication during login, to enhance protection against future cyber threats.
π’ Cyber News
The Department of Homeland Security (DHS) has established a new Artificial Intelligence Safety and Security Board, aimed at steering the safe implementation of AI technologies within U.S. critical infrastructure sectors. DHS Secretary Alejandro Mayorkas highlighted that the board, featuring leaders from OpenAI, Microsoft, Nvidia, and IBM, will develop practical guidelines for responsible AI use across sectors such as defense, energy, and IT. The board’s formation, directed by President Joe Biden, includes industry CEOs, government figures, and civil rights advocates, and is set to meet quarterly starting in May to address AI’s security risks and opportunities.
Starting April 29, a new UK law under the Product Security and Telecommunications Infrastructure (PSTI) Act will mandate IoT manufacturers, retailers, and importers to adhere to basic cybersecurity practices. This legislation requires that IoT products do not come with default passwords, offer a way to report vulnerabilities, and disclose the duration of security support. Violations of these new standards could result in fines up to Β£10 million or 4% of global annual revenue, aiming to boost security for devices like smart speakers, cameras, and more.
Meta has announced that it might discontinue WhatsApp services in India if the government persists in demanding changes to its encryption and user data policies. Representing WhatsApp, Tejas Karia argued in the Delhi High Court against the 2021 IT rules that require social media to trace the origin of messages, stating this would violate privacy by necessitating the decryption and storage of millions of messages. The Indian government insists these measures are crucial for combating fake news and hate speech, but Meta emphasizes that such regulations threaten the core privacy guarantees that define their service.
In 2023, cybersecurity experts at BeyondTrust identified 1,228 vulnerabilities in Microsoft products, a slight decrease from previous years but still significant given Microsoft’s extensive use in both corporate and personal environments. Windows, Edge, Office, and Windows Server remained key areas of concern, with critical vulnerabilities in Windows and Windows Server notably impactful. Despite the overall reduction, new types of vulnerabilities like Denial of Service and spoofing saw sharp increases, indicating evolving threats even as Microsoft continues to secure its products by retiring older, less secure versions and embracing more robust technologies.
Microsoft has introduced ICSpector, an open-source security tool designed to enhance threat analysis in industrial control systems amid rising nation-state attacks on critical infrastructure. The tool, which operates on an open-source framework, focuses on examining programmable logic controllers (PLCs) essential for operating utilities like water and power grids. Available on GitHub, ICSpector aids in detecting malicious modifications, extracting modification timestamps, and outlining task execution flows, thereby bolstering defenses against sophisticated cyber threats targeting operational technology.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
