Recent Cybersecurity Issues In The News - mccright/FCCSCybersecurityInput GitHub Wiki

Some relatively-random cybersecurity incidents as an introduction

(use 'current' incidents... and there should be no trouble finding 'current' incidents whenever the session is presented):

• "MiTM phishing attack can let attackers unlock and steal a Tesla." By Bill Toulas. March 7, 2024. bleepingcomputer
• "FBI: U.S. lost record $12.5 billion to online crime in 2023." By Bill Toulas. March 7, 2024 bleepingcomputer
• "Apple fixes two new iOS zero-days exploited in attacks on iPhones." By Lawrence Abrams. March 5, 2024. "Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday. The two bugs were found in the iOS Kernel (CVE-2024-23225) and RTKit (CVE-2024-23296), both allowing attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections. Apple has not released information regarding ongoing exploitation in the wild... With these two vulnerabilities, Apple has fixed three zero-days so far in 2024, with the first in January. Last year, the company fixed a total of 20 zero-day flaws exploited in the wild. BleepingComputer
• See the 2023 wrap-up or biggest cybersecurity and cyberattacks at BleepingComputer...
• "Mortgage firm LoanCare warns 1.3 million people of data breach." 27 December 2023. Mortgage servicer LoanCare parent company, Fidelity National Financial, was breached resulting sensitive data left from 1,316,938 LoanCare borrowers across the U.S. See the Fidelity National Financial cyberattack disclosure in an SEC filing. The customer information compromised includes: Full name, physical address, Social Security Number (SSN), and Loan number, which can be used for targeted phishing, social engineering, and scamming attacks. It can also be used or sold to flesh out existing records for these 3.1 million individuals in existing criminal data-marts.
• "Genetics firm 23andMe says user data stolen in credential stuffing attack." 6 October 2023. Researcher/writer Bill Toulas reported that 23andMe -- a U.S. biotechnology and genomics firm offering genetic testing services to customers -- had confirmed that user data (including information about users’ DNA Relatives profiles) from its platform was circulating on hacker forums and attributed the leak to a credential-stuffing attack. A threat actor had leaked samples of 23andMe customer data and offered to sell that data in a range of different volumes. In response, 23andMe appears to requiring that all customers reset their passwords and are encouraging them to use multi-factor authentication.
• Dark Reading staff, September 2023: "Apple Fixes 3 More Zero-Day Vulnerabilities -- All of the security bugs are under active attacks." See Apple for their description. These follow another three in May 2023, exposing targeted users to arbitrary code execution and unsuthorized disclosure of sensitive information.
• Juveniles hacking in increasing numbers -- especially ransomware or digital extortion. On 2023-09-26 the DoJ theorized that virtually "limitless access to an online for-profit criminal ecosystem" and other forces were foundational to the new trend. They repored that "teenage hackers like those who may have been behind recent cyberattacks on casinos (MGM Grand and Caesar’s casinos) are being “radicalized” online in a way similar to people who once turned to terrorism". As often is the case, these juvenile hackers are manipulating employees at help centers as well as using technical means.
• Passwords still suck... The U.S. Interior Department recently reported (Jan 2023) that it had set up a security test to gauge the strength of their employee's passwords. Using inexpensive equipment and free, publicly available software plus a custom word list, they "successfully cracked more than 18,000 of the department’s passwords, nearly 14,000 in the first 90 minutes of testing alone." Those 18,174 cracked passwords represented 21 percent of active user passwords, including 288 accounts with elevated privileges and 362 accounts of senior U.S. Government employees. The U.S. Interior Department systems were configured to support some easy-to-guess passwords -- "Password-1234" was the most commonly reused password, used on 478 unique active accounts. In fact, 5 of the 10 most reused passwords at the Department included a variation of “password” combined with “1234”. This is a reminder to check your password strength, quickly deactivate "inactive" accounts, and enable risk-reasonably strong multi-factor authentication across all your systems. If you don't, unauthorized parties will use those easy passwords in ways that will result in more or less harm to your organization -- and often beyond.
• If you use your fingerprint for strong authentication on your Android or HarmonyOS (Huawei) mobile device, you are probably at higher risk than you assume... A new attack called "BrutePrint" can -- in under 14 hours -- break into any Android device that is configured with only one fingerprint and those with more than one fingerprint will grant access in under 3 hours. This does not require nation-state resources to accomplish. It appears that any determined hostile party could execute this type of attack. Think of the many, many use cases where possession of your phone is considered strong authentication evidence and then explore the potential negative outcomes for each. For most of us, that scenario represents a material risk concern.
• The U.S. Marshall's Service maintains their own Technical Operations Group (TOG), and IT organization and its secret specialized systems and networks to help the Marshals hunt down high-value suspects in the United States and in other countries. In early February 2023, the TOG infrastructure was the target of a successful ransomware attack (to which the U.S. Marshalls have refused to pay). As of May 1, 2023, the TOG services have been unavailable for at least 10 weeks -- which severely impacts the U.S. Marshall's ability to locate criminals...
• See: "The 2023 Crypto Crime Report." from Chainanalysis (it covers 2022). https://go.chainalysis.com/2023-crypto-crime-report.html
• Molly White, who runs Web3 Is Going Just Great reported 2023-01-13 that
  NFT GOD's (cryptocurrency) wallet was drained, and his social media accounts used to phish others after a malware infection. "According to NFT GOD, his computer was infected with malware when he clicked a sponsored link in a Google search when he went to download the streaming software OBS. This is similar to an attack in April 2022 where scammers stole millions using malicious Google ads. According to NFT GOD, not only did the hackers drain his crypto wallet of his NFTs and crypto, including his beloved Mutant Ape, but they also hijacked his accounts (Twitter, Substack, Gmail, Discord, and wallets) to send out phishing links to his substantial followers. The person who purchased the stolen ape (for 16.65 ETH, ~$25,800) said he was willing to sell the ape back to NFT GOD for the same price they paid for it, which seemed to be taken as good news by NFT GOD."
• Russian violent anti-democracy and (virtually) anti-'anything-Liberal-West' efforts continue to incorporate heavy investments in cyber attacks. One of the most prominent being played out in Ukraine where large-scale Russian cyber attacks on Ukrainian banks and government infrastructure seemed to be the opening shots of Putin's ongoing war of aggression. This on-line activity has persisted through this week, when Russian hackers allegedly target Ukrainian press briefing about cyberattacks.
• A cyberattack that forced Suffolk County, NY, government offline for weeks this fall began when county clerk’s office systems were breached on Dec. 19, 2021 via a log4j software vulnerability The attackers, BlackCat/ALPHV-affiliated threat actors, explored and exploited the county government infrastructure for eight months and 21 days, stole sensitive data and requested a $2.5M ransom in September 2022. The county government was still not back to pre-hack functionality on 2022-12-21. "The cyberattack on Suffolk County, NY (A-/Stable) highlights increased risks to U.S. state and local governments as such attacks become more common, according to Fitch Ratings".
• Email addresses and Windows Active Directory information for over 77,000 Uber employees was posted by a member of the Lapsus$ hacking group who is believed to be responsible for numerous high-profile attacks. This was in the midst of a dump of mobile device management application source code. Security researchers who have analyzed the leak told BleepingComputer that the internal Uber corporate information contains enough detailed information to conduct targeted phishing attacks on Uber employees to acquire more sensitive information. It appears that the attack and data theft happened via an Uber vendor used for asset management and tracking, Teqtivity who has admitted a breach on 2022-12-12.
• This story is about a successful hack, but maybe more importantly, about another multiple-billion dollar crypto crash. The FTX cryptocurrency trading exchange appears to have unraveled the week beginning 2022-11-06. Part of the concerns driving the FTX implosion were associated with the business, financial, and accounting practices of Sam Bankman-Fried's crypto ecosystem. The Financial Times wrote on Friday 2022-11-11 that FTX filed for Chapter 11 bankruptcy protection in the U.S. -- and CNBC followed up with reporting that FTX had only $900 million in "easily sellable assets" against $9 billion of liabilities. Then, late on Friday 2022-11-11, credible reports said that FTX accounts were being robbed and more than $600 million was taken -- even though a bright red banner across the top of some ftx.com web pages said, "FTX is currently unable to process withdrawals. We strongly advise against depositing. Deposits of TRX, BTT, JST, SUN, and HT are disabled." Reporting on the 12th said that (at least some of) the accounts used in the theft(s) were being identified. Maybe the theft (aka "unauthorized transactions") was only $400 million, or $515 million. Or maybe that level of detail hardly matters when FTX was valued in January 2022 at $32 billion and this week told the bankrupcy court that they had roughly $900 million in useful assets... Grift at this scale seems to be a feature of the cryptoverse. See some opinion on the subject at: https://www.washingtonpost.com/opinions/2022/11/11/crypto-bubble-implode-ftx-bitcoin-ethereum/.
• Review the long list of trust issues in "Mysterious company with government ties plays key internet role -- TrustCor Systems vouches for the legitimacy of websites. But its physical address is a UPS Store in Toronto." By Joseph Menn Updated November 8, 2022 https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/
• In July 2022 software supply chain security company Phylum's analysis automation found hostile versions of some PyPI-hosted components. Three months later, in late October, their systems discovered dozens more PyPI packages attempting to deliver W4SP Stealer. "Ireland-based software development house Cyclonis Limited described some of the risks when it wrote that "the W4SP stealer can scrape and exfiltrate Discord tokens and browser cookies, as well as scrape directories for a list of keywords, hoping to find more sensitive information." As of 1 Nov 2022, Phylum researchers believe that collectively the compromised packages accounted for over 5700 downloads.
• According to early reporting, an attacker socially engineered an Uber employee after identifying that employee’s WhatsApp number. The hostile party then convinced the Uber employee to log into the attacker's fake Uber site. Using the Uber employee's inputs (credentials) and direct MFA input from the Uber employee the attacker logged into the genuine Uber network VPN. The hostile actor found administrator credentials hard-coded in PowerShell scripts used to automate logging into a number of Uber's sensitive, non-public networks. At a minimum, the attacker explored administrator-level access to Uber source code, email and other internal systems as well as Uber's AWS and GSuite environments and then shared screen shots of their work via company-wide Uber Slack channels. In response, Uber appears to have shut down access to a number of their systems for a period of time. Engaging in their typical behavior in the face of unflattering exposure of their inner-workings, Uber is sharing nothing useful about the incident as of 17 Sept. 2022. Here is how the breach was characterized in a 15 Sept 2002 New York Times article by Kate Conger and Kevin Roose:

“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”

• In early August 2022, Check Point Software detected "supply-chain attacks" that used 10 malicious packages on PyPI (The Python Package Index). PyPI is a repository of software components for the Python programming language (pypi.org indicates that it had 615,673 active users on 2002-08-17). Most Python developers are familiar with the 'pip install' to download the Python components they need for any given application. Following responsible disclosure by Check Point, PyPI removed the following Python packages:

  1. ascii2text -- executed a hostile script that identified local passwords and then uploaded them.
  2. Pyg-utils -- harvested users' AWS credentials
  3. Pymocks -- harvested users' AWS credentials
  4. PyProto2 -- harvested users' AWS credentials
  5. Test-async -- executed "probably malicious code"
  6. Free-net-vpn -- harvested the user's credentials
  7. Free-net-vpn2 -- harvested the user's credentials
  8. Zlibsrc -- downloaded and ran a malicious file
  9. Browserdiv -- stole the installers credentials
  10. WINRPCexploit -- harvested the user's credentials

• In late July 2022, Anurag Sen, @hak1mlukha and TechCrunch, Zack Whittaker reported that JusTalk and JusTalk Kids (owned/operated by Ningbo Jus/Juphoon) exposed what appeared to be all user mobile phone numbers (and JusTalk 2nd Phone Numbers), IP addresses, physical location, and message content via a rolling, 30-day, clear text log of all user interactions (hundreds of GB of data for months, at least since Jan 2022). JusTalk has around 20 million international users, and JusTalk Kids has over 1 million Android downloads so the data exposure is material. Despite that long-running data exposure JusTalk asserts end-to-end encryption -- In late July 2022 JusTalk still assures current, future, and past users that their data is safe:

"Secure Data Encryption: Rest assured your calls and messages are secured. Only you and the person you communicate with can see, read, or listen to them: even the JusTalk team won't access your data!" Quote viewed on justalk.com/ on 2022-07-27.

• In early July 2022 cybersecurity giant Entrust -- which describes itself as a global leader in identities, payments and data protection -- announced to its customers that it had a breach on June 18th allowing an unauthorized party to access its internal operations. Entrust says its customers include 10,000 companies so the exposure could be material. See the Okta incident below for another example of a security incident at a top-tier security organization.

• In May 2022 popular Python and PHP libraries were hijacked to steal AWS keys, credentials, and other sensitive information. Ax Sharma reported that the PyPI module 'ctx' -- downloaded over 20,000 times a week -- had been compromised in a software supply chain attack. The threat actor replaced the older, safe versions of 'ctx' with code that exfiltrates data to the Heroku endpoint: https://anti-theft-web.herokuapp[.]com/hacked. The malicious versions stole the developer's/the system's environment variables to collect secrets like Amazon AWS keys and credentials. Similarly, widely used versions of a 'phpass' fork published to the PHP/Composer package repository Packagist was altered to steal secrets in a similar fashion. Later Sharma wrote that "the hijacker of these libraries is an Istanbul-based security researcher, Yunus Aydın aka SockPuppets, who has attested to the fact when approached by BleepingComputer. He claims his rationale for stealing AWS tokens was to demonstrate the 'maximum impact' of the exploit." Because it involved actual theft of other's identities and secrets, this seems unethical and possibly an inaccurate description of Mr. Aydin's activities. The attacker used automation to seek out components owned by users with expired domains, then he took over an expired domain, re-created the maintainer's email address, and brute forced the credentials for an associated github repository (i.e. repo-jacking).

• Sultan Qasim Khan, principal security consultant at the security firm NCC Group recently (announced 2022-05-16) demonstrated how to unlock keyless entry, start and drive away on Tesla Model 3 and Y cars. They accomplish this by redirecting communications between a car owner’s mobile phone, or key fob, and the targeted car, hostile parties can trick the keyless entry system into believing the owner is located physically near the vehicle (and therefore trusted). Tesla and other vendor's engineers, architects, and developers appear to have trusted Bluetooth Low Energy (BLE) communications because they wrongly assumed that it would come from the authorized client device and that the device was nearby and in the hands of an authorized party. NCC Group researchers showed that this trust was misplaced and that the vendor's did not invest enough in resisting relatively simplistic abuse cases. In reality, using this relay model

"An attacker could walk up to any home at night – if the owner's phone is at home - with a Bluetooth passive entry car parked outside and use this attack to unlock and start the car (and) once the device is in place near the fob or phone, the attacker can send commands from anywhere in the world."

• A group of researchers from the Technical University of Darmstadt in Germany have found that malware can be loaded onto modern iPhones even when they are turned off (announced 2022-05-12). Apple introduced a feature in iOS 15 that enables you to locate your iPhone even if it has run out of battery power or has been shut off. The researchers exploit that new feature -- which continued to exposed key components of the iPhone the attack surface -- using malware injection techniques already employed against high-value targets like journalists, politicians, government critics and those having authorized access to corporate secrets or funds... Their approach loads malware onto a Bluetooth chip (still available via Bluetooth Low Energy (BLE) -- being an LPM-supported chip with Local Firmware Modification permissions) that is executed while the iPhone is powered off (which in Apple-speak means running in "Low Power Mode").
• Okta is an authentication services provider used by thousands of organizations worldwide. When you think 'single sign on' (SSO) that is what Okta enables. Okta was breached by hacking group Lapsus$, who posted screenshots to its Telegram channel claiming to be of Okta’s internal systems, including one that appeared to show Okta’s Slack channels and another with a Cloudflare interface. Writing in its Telegram channel, Lapsus$ claimed to have had “Superuser/Admin” access to Okta’s systems for two months but said its focus was only on Okta customers. Okta slow-walked expanding admissions about their breach in early 2022. The scope of this incident is material, but still ill-defined. It is increasingly clear that Lapsus$ had the ability to change Okta's customer's passwords for some period of time. See: https://www.reuters.com/technology/authentication-services-firm-okta-says-it-is-investigating-report-breach-2022-03-22/ and https://www.theverge.com/2022/3/22/22990637/okta-breach-single-sign-on-lapsus-hacker-group
• See: "Capital One Concerns Linked To Overconfidence Bias?" https://completosec.wordpress.com/2019/08/02/capital-one-concerns-linked-to-overconfidence-bias/
• See: "Mobile App Password Reset Flaw – $500K Stolen." https://completosec.wordpress.com/2019/07/04/mobile-app-password-reset-flaw-500k-stolen/
• See: "Input Validation Error Creates Widespread RCE Vulnerability" at: https://completosec.wordpress.com/2019/07/02/input-validation-error-creates-widespread-rce-vulnerability/
• For an example of what must be widespread hubris, see this story about more than 6,600 keys/secrets found in Samsung source code https://www.securityweek.com/thousands-secret-keys-found-leaked-samsung-source-code
• For an end of the world as we know it security story, see: "The Most Powerful Data Broker in the World Is Winning the War Against the U.S." By Matt Pottinger and David Feith, 30 Nov 2021 at: https://www.nytimes.com/2021/11/30/opinion/xi-jinping-china-us-data-war.html
• For some background on the expanding criminal industry of ransomware where criminal syndicates have evolved a "conveyor-belt-like process of hacking, encrypting and then negotiating for ransom in cryptocurrencies:" https://www.nytimes.com/2021/12/06/world/europe/ransomware-russia-bitcoin.html
• Last Friday ZDNet published a note by Steve Ranger announcing that the hacking group believed to be behind a successful attack on industrial control systems at a petrochemical plant in Saudi Arabia are now poking at US and Asia-Pacific power grids. Malware linked malware to a Russian state owned research lab targeted safety systems and was designed to cause loss of life or physical damage. The attacks begin by getting a foothold using lists of previously stolen credentials and by coaxing targeted users to 'click' - email, browser plug-ins, watering-hole links, etc. https://www.zdnet.com/article/this-most-dangerous-hacking-group-is-now-probing-power-grids/

The bullets below are from the original presentation in the summer of 2019. The bullets above are more recent additions...

• Last Thursday The U.S. Securities and Exchange Commission published an alert about risks associated with misconfigured data storage systems. SEC inspections find that companies have failed to properly secure network-accessible storage systems - for example misconfigured network attached storage [NAS], databases, and cloud storage servers. "Although the majority of these network storage solutions offered encryption, password protection, and other security features designed to prevent unauthorized access, [OCIE] examiners observed that firms did not always use the available security features." The SEC highlighted three core issues: 1. misconfiguring the security settings; 2. inadequate oversight of vendor-provided third-party services; 3. unfamiliarity with their data led companies to configure inappropriate access. https://www.zdnet.com/article/sec-security-alert-warns-about-misconfigured-nas-dbs-and-cloud-storage-servers/ also https://threatpost.com/files-exposed-record-misconfigs/145177/

• Last Thursday Yubico announced a vulnerability in some of their hardware tokens used in high-security use cases. Yubico will be replacing the vulnerable YubiKey FIPS security keys for all users that request them. This follows a similar hardware token vulnerability and replacement program by Google last month. These types of tokens are generally used in strong 2-factor authentication systems, were vulnerabilities cannot be ignored. https://www.yubico.com/support/security-advisories/ysa-2019-02/ and https://security.googleblog.com/2019/05/titan-keys-update.html

• Last Monday researchers disclosed that major vulnerabilities in HSMs (Hardware Security Modules) were impacting financial services enterprises, cloud providers, governments, and more. HSMs are hardware-isolated crypto devices that store and manipulate sensitive information like digital keys, passwords, PINs, and other secrets. They are add-in cards in servers, PCs, even some mobile devices, network-connected encryption devices, or units that look like USB-connected thumb drives. Two security researchers revealed vulnerabilities [back doors] in HSMs that can be exploited remotely to retrieve sensitive data stored inside these specialized computer components. https://cryptosense.com/blog/how-ledger-hacked-an-hsm/ and related https://cryptosense.com/blog/the-untold-story-of-pkcs11-hsm-vulnerabilities/

• A little over a week ago 70,000 routes associated with some of Europe's largest networks in Switzerland, Holland, and France were redirected through China for two hours (an eternity). Oracle reported that "A Swiss data center colocation company [BGP] leaked over 70,000 routes to China Telecom in Frankfurt, Germany. China Telecom then announced these routes on to the global internet redirecting large amounts of internet traffic destined for some of the largest European mobile networks through China Telecom’s network." The same ISP was accused last year of "hijacking the vital internet backbone of western countries." https://blogs.oracle.com/internetintelligence/large-european-routing-leak-sends-traffic-through-china-telecom.

• More than 6 weeks ago a ransomware cyberattack hobbled Baltimore’s computer network, city officials still say they can’t predict when its operations will be 100% up and running... As of last Wednesday, 70 percent of city employee email accounts were active again and by the end of the week they hoped to be up to 95%. Some city billing systems, however, remained non-functional. City response/recovery costs were up to $18M. https://wtop.com/baltimore/2019/05/8-days-after-cyberattack-baltimores-network-still-hobbled/ and https://baltimore.cbslocal.com/2019/06/12/baltimore-ransomware-attack-inches-closer-to-normal/

• Last month Microsoft released security updates for some out-of-support systems to fix a bug that could be weaponized as a worm if exploited. https://www.darkreading.com/endpoint/microsoft-patches-wormable-vuln-in-windows-7-2003-xp-server-2008/d/d-id/1334709 This is a critical unauthenticated, remote code execution flaw in Remote Desktop Services (RDS, also known as Terminal Services) which affects some older versions of Windows This type of vulnerability supports malware propagating across vulnerable machines -- 'worm' behavior.

• Last month, the more than 1.5 billion WhatsApp users learned that the application's end-to-end encryption failed to stop attacks against its audio call features that allowed attackers to install malware & conduct surveillance on exploited users -- even when they did not even answer the attacker's call. https://www.wired.co.uk/article/whats-app-hacked

'Cybersecurity' - What is it?

Discuss the breadth of this topic: https://en.wikipedia.org/wiki/Computer_security and https://en.wikipedia.org/wiki/Category:Computer_security

RESOURCES

• List of Data Breaches https://en.wikipedia.org/wiki/List_of_data_breaches
• Brian Krebs' Data Breaches in Depth https://krebsonsecurity.com/category/data-breaches/
• Data Breach Today https://www.databreachtoday.com/
• Privacy Rights Clearinghouse https://www.privacyrights.org/data-breaches
• Data Breaches Reported to the State of Iowa https://www.iowaattorneygeneral.gov/for-consumers/security-breach-notifications/
• ';--have i been pwned? https://haveibeenpwned.com/
• Research related to hostile software https://research.checkpoint.com/