CISO Daily Update - May 3, 2024
NEW DEVELOPMENTS
Dropbox Says Attackers Accessed Customer and MFA Info, API Keys
Source: Help Net Security
Dropbox confirmed a breach in its Dropbox Sign (formerly HelloSign) production environment, affecting customer personal and authentication information. Attackers accessed a service account within the Sign backend–compromising customer data including email addresses, usernames, phone numbers, hashed passwords, API keys, OAuth tokens, and multi-factor authentication details. While no evidence of unauthorized access to user account contents has been found, affected customers are advised to reset passwords, rotate API keys, and update their authenticator app entries. Dropbox is actively investigating the incident and has notified law enforcement and regulatory authorities.
Data Breach Hits Panda Restaurants
Source: SC Media
Panda Restaurant Group, the parent company of popular Asian-American restaurant chains like Panda Express and Hibachi-San, disclosed a data breach that compromised personal information of current and former employees. Between March 7 and 11, attackers gained unauthorized access to the company's corporate systems and exfiltrated data including names, driver's license numbers, and other personal information belonging to employees. While the full scope remains under investigation by law enforcement and cybersecurity firms, Panda confirmed customer data and store operations were unaffected. The company contained the incident and implemented additional safeguards to enhance data security. The number of impacted individuals is still undetermined.
Cybersecurity Consultant Arrested After Allegedly Extorting IT Firm
Source: Bleeping Computer
A former cybersecurity consultant (Vincent Cannady) was arrested for allegedly attempting to extort a publicly traded IT company by threatening to disclose confidential data unless they paid $1.5 million. After his termination, Cannady allegedly used his access to download confidential and proprietary information such as architectural diagrams, trade secrets, and potential system vulnerabilities. When confronted, Cannady reportedly escalated threats and cut off the company’s access to the laptop. Cannady involved the media and sought a settlement to prevent legal action. If convicted, he faces up to 20 years in prison under charges of extortion.
Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft
Source: Darkreading?
The Microsoft Graph API has emerged as a favored tool for attackers to conduct data theft and facilitate command-and-control operations through legitimate Microsoft services. Nation-state espionage groups and cybercriminals alike have recognized the benefits of leveraging Graph API for malicious activities as it enables them to blend in with legitimate network traffic and avoid detection. Recent investigations highlight the widespread adoption of this tactic among threat actors. To mitigate the risks associated with these attacks, organizations must be vigilant against unsanctioned cloud account usage and ensure that connections are limited to their own enterprise tenants.
DPRK's Kimsuky APT Abuses Weak DMARC Policies, Feds Warn
Source: Darkreading
The FBI and NSA issued a joint advisory warning that North Korea's Kimsuky APT group is exploiting organizations' weak or nonexistent DMARC (Domain-based Message Authentication, Reporting & Conformance) policies to conduct convincing spear-phishing attacks that impersonate trusted entities. When properly configured, DMARC is a critical email authentication protocol that prevents sender spoofing. Kimsuky enhances the credibility of its social engineering lures by targeting victims with spoofed emails from domains lacking strict DMARC enforcement. Their goal is to steal sensitive intelligence from journalists, think tanks, and government agencies of strategic interest. To prevent this phishing vector and bolster defenses against Kimsuky's cyber espionage operations, organizations are urged to implement robust DMARC policies set to "reject" or "quarantine" in conjunction with other anti-spoofing controls like SPF and DKIM.
US and UK Warn of Disruptive Russian OT Attacks
Source: Infosecurity Magazine
US, UK, and Canadian security agencies issued a joint warning about pro-Russia hacktivists targeting operational technology (OT) facilities in North America and Europe since 2022. These attackers are exploiting vulnerabilities in small-scale OT systems across various sectors–including water and wastewater, dams, energy, and food and agriculture. By manipulating human-machine interfaces (HMIs) and exploiting weak passwords, the hackers have caused disruptions by exceeding normal equipment parameters and altering settings–leading to incidents like tank overflow events. To mitigate these threats, organizations are advised to implement measures such as disconnecting HMIs from the internet, using multi-factor authentication, changing default passwords, and ensuring systems can be operated manually. Regular scanning, testing, and cyber-hygiene practices are also recommended to enhance resilience against vulnerability exploitation.
REvil Ransomware Scum Sentenced to Almost 14 Years Inside, Ordered to Pay $16 Million
Source: The Register
Yaroslav Vasinskyi, a 24-year-old Ukrainian man and member of the notorious REvil ransomware gang, has been sentenced to nearly 14 years in prison and ordered to pay over $16 million in restitution for his involvement in more than 2,500 ransomware attacks. Vasinskyi played a key role in the REvil operations that cost victims over $700 million in extortion payments through tactics like double extortion. Following his 2022 arrest and extradition to the U.S., he pleaded guilty to charges including fraud, damaging protected computers, and money laundering conspiracy. The sentence reflects the U.S. Justice Department's commitment to disrupt the global cybercrime ecosystem by targeting key players like Vasinskyi–even as law enforcement seizes millions in ransomware proceeds through asset forfeiture actions against REvil's illicit financial operations.
领英推荐
VULNERABILITIES TO WATCH
Cisco IP Phones Exposed: Vulnerabilities Allow Hackers to Disrupt, Spy, and Even Make Calls
Source: SecurityOnline. info
Cisco flagged several vulnerabilities in the firmware of various IP Phone models that potentially allow remote attacks. Attackers could trigger denial-of-service conditions, access sensitive information, and even make unauthorized calls. These vulnerabilities affect widely used Cisco IP Phones and pose significant risks to business communication security. Cisco has released software updates to address these issues, and urges affected organizations to apply the fixes promptly. While there have been no reported exploits yet, upgrading systems is crucial to mitigate potential future threats.
New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw
Source: The Hacker News
A new botnet dubbed Goldoon is exploiting a nearly decade-old flaw (CVE-2015-2051) in D-Link routers to compromise devices and use them for further attacks such as DDoS. The botnet employs various methods to establish persistence and communicate with a command-and-control server–offering 27 different DDoS flood attack techniques. Despite the aged vulnerability's low attack complexity, it poses a critical security risk. This technique showcases the ongoing evolution of botnets and the persistent interest of cybercriminals and APT actors in compromising routers for various malicious purposes–including anonymization layers and proxy networks.?
Critical MailCleaner Vulnerabilities Let Attackers Execute arbitrary command
Source: Cyber Security News
Multiple critical vulnerabilities in MailCleaner email security software versions before 2023.03.14 allow remote unauthenticated attackers to fully compromise the appliance.? The flaws permit remote code execution, arbitrary command injection, cross-site scripting for session hijacking, unauthorized data access, and potential lateral movement across clustered deployments. By exploiting these vulnerabilities, attackers can completely control the MailCleaner system, intercept and manipulate all processed emails, and escalate privileges–posing risks to the confidentiality, integrity, and availability of the email security solution and any secured communications passing through it. Patches addressing multiple critical vulnerabilities(CVE-2024-3191 through CVE-2024-3196) were released to mitigate the threats.
SPECIAL REPORTS
Three-quarters of CISOs Admit App Security Incidents
Source: Infosecurity Magazine
A recent report by Dynatrace found that 72% of global CISOs have faced application security incidents in the past two years–resulting in lost revenue, regulatory fines, and market share impact. Poor alignment between CISOs and boards, along with challenges in communicating security risks in business terms, were identified as key issues. Concerns were also raised about the potential risks and benefits of AI in application security, with worries about both its potential to empower cybercriminals and accelerate software delivery without appropriate controls. Dynatrace's CTO emphasized the need for organizations to modernize their security tools and practices to address these evolving threats.
Most Companies Changed Their Cybersecurity Strategy in the Past Year
Source: Help Net Security
According to LogRhythm, 95% of companies have adjusted their cyber strategies in the past year. Leadership is crucial in this evolution, as cybersecurity is now considered integral to business strategy and governance. Key drivers for strategy shifts include regulatory compliance, customer expectations for data protection, and the emergence of AI-driven threats. However, effective communication between security teams and non-security executives remains challenging with gaps in understanding regulatory requirements and security solution justification. Despite increased budgets and resource allocations, there's a need for better reporting mechanisms and metrics to measure the impact of security investments and strategy changes.
Ransom Recovery Costs Reach $2.73 Million
Source: Help Net Security
Ransom recovery costs increased significantly with the average ransom payment increasing by a staggering 500% to $2 million in the past year, according to Sophos' latest research. However, ransoms are just the tip of the iceberg; the overall average cost of recovery has reached $2.73 million, up nearly $1 million from 2023. While ransomware attack rates have slightly decreased to 59%, the demands have escalated with 63% exceeding $1 million and 30% surpassing $5 million–impacting organizations of all sizes. Exploited vulnerabilities and compromised credentials remain the top attack vectors, with backup compromise attempts made in 94% of incidents. As cybercriminals continue to raise the stakes, organizations must prioritize addressing these preventable root causes to impose greater costs on attackers.
Manager IT Governance, Risk, Security and Business Relationships
10 个月Hi Marcos Christodonte II I have send you connection request.
Co-Founder & CEO at Pellonium | Trusted Advisor | Risk Management | Cybersecurity | Army Veteran
10 个月Great updates Marcos Christodonte II. Thank you for putting them together.
Dad | Tech Advisor | Guitar | Golf | Running
10 个月Thanks for doing this. I read it daily.