Cisco MFA breach, Bad bots surge, LockBit 3.0 propagates

Cisco announces breach of multifactor authentication message provider

One of the providers used by Cisco to send multifactor authentication messages was breached by a threat actor on April 1. This according to an email message sent from Cisco to its customers. The breached company, Duo, was acquired by Cisco in 2018. According to the email, the attacker “breached the system of a telephony supplier that Duo uses to send MFA messages through texts and phone calls to its customers.” The attacker used the credentials of an employee of that telephone supplier which it allegedly obtained through a phishing attack. From this the attacker was able to download a set of MFA SMS message logs pertaining to customers’ Duo accounts. According to The Record, “Duo has more than 40,000 customers and offers its services to state and federal government agencies as well as school districts and universities. Some of its more high-profile customers include Lyft, Yelp, Box and AmeriGas.”

(The Record )

Bad bots drive 10% annual surge in account takeover attacks

“Internet traffic associated with malicious bots now accounts for one third of total internet traffic, a 10% increase year-on-year.” This is according to security firm Imperva, in its 2024 Bad Bot Report. Bots overall, account for just about 50% of all internet traffic, and bots “accounted for 30% of all API attacks in 2023, 17% of which were designed to exploit business logic vulnerabilities.” Interestingly, bad bot traffic originating from residential ISPs surged to 26%. Nanhi Singh, general manager of application security at Imperva, warned that bots are capable of web scraping, ATO, spam, denial of service and data exfiltration, and she adds, “automated bots will soon surpass the proportion of internet traffic coming from humans.” A link to the report is available in the show notes to this episode.

(Imperva )

LockBit 3.0 variant generates custom, self-propagating malware

Following up on a story we covered last August, LockBit 3.0 continues to bite, this time “using stolen credentials to launch a sophisticated attack against an unidentified organization in West Africa.” Researchers at Kaspersky discovered this latest variant in March. They express concern about its ability to generate custom, self-propagating ransomware that is difficult to defend against. In this attack, the ransomware was able to disable Windows Defender, encrypt network shares, and delete Windows Event Logs to avoid discovery. It can also infect specific Word and Excel files.

(Dark Reading )

Change Healthcare data now announced as for sale

According to an individual known as DarkWebInformer posting on X, data belonging to Change Healthcare, OPTUM Group and United Healthcare Group is now for sale. This person’s tweet includes a screenshot allegedly taken from a dark market website, which offers data from groups including Medicare, CVS-CareMark, MetLife, and Teachers Health Trust, among others. The data is said to contain PII of active military and navy personnel, medical and dental records, payment and claims information and much more. The group behind this purported post says, “for most U.S. individuals out there doubting us, we probably have your personal data.”

(DarkWebInformer via X – Twitter )

Huge thanks to this week’s episode sponsor, Conveyor

LeakyCLI flaw exposes AWS and Google Cloud credentials

According to researchers at Orca Security, this new vulnerability, dubbed LeakyCLI, targets command-line tools used in cloud environments, “exposing sensitive credentials in logs, posing potential risks to organizations utilizing AWS and Google Cloud platforms.” This flaw is similar to a previously identified vulnerability in Azure CLI, CVE-2023-36052, which Microsoft fixed in November. Despite that AWS and Google Cloud CLI remain susceptible to the same flaw. Details can be found in the Orca Security Report. The link is in the show notes to this episode.

(InfoSecurity Magazine )

PuTTY SSH client found vulnerable to key recovery attack

A critical vulnerability impacting versions from 0.68 through 0.80 of the PuTTY Secure Shell (SSH) and Telnet client could be exploited to achieve full recovery of NIST P-521 private keys. This is according to its maintainers, following its discovery by researchers at the Ruhr University Bochum, in Germany. The flaw has now been tagged as CVE-2024-31497. PuTTY is a free and open-source terminal emulator, serial console, and network file transfer application and was originally written for Microsoft Windows. It is used to connect to remote systems for system administration, remote file transfer, and troubleshooting tasks.

(The Hacker News )

Credible takeover attempt similar to XZ Utils backdoor stopped by researchers

Security researchers at the OpenJS Foundation, which monitors JavaScript projects, have stopped what they call a “credible” takeover attempt, which resembles the recent XZ Utils backdoor incident. The researchers said that on Monday they received “a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails,” which asked OpenJS to designate the senders a new maintainer of the project. They stress that this type of social engineering attack preys on exhausted maintainers. According to The Record, “Chris Hughes, chief security advisor at open-source security company Endor Labs and a Cyber Innovation Fellow at CISA, said an estimated one-quarter of all open-source security projects have a single maintainer and 94% have fewer than 10.

(The Record )

Cryptojacker arrested for defrauding cloud providers of $3.5 million

Charles O. Parks III, known under the rather clever online handle, of CP3O, a resident of Omaha, Nebraska, allegedly “registered multiple accounts with two cloud providers to access cloud computing resources he used for mining cryptocurrency.” According to the indictment, he used fake identities to set up the accounts and he not only did not pay for the cloud computing resources that he used to mine for Ether, Litecoin, and Monero, but he also “convinced the cloud providers to offer elevated levels of cloud computing services, such as GPUs, tools to maximize the cloud computing power,” simply choosing not to respond to the cloud companies inquiries regarding unpaid bills. However, these companies are now alleging fraud to the tune of $3.5 million.

(Security Week )