Blog

This Week in Cybersecurity News – 2/13/24 – Valentine’s Day Edition

7 minute read

  • Nathan Burke

Surveys, research, and stats

Fragmented cybersecurity vendor landscape is exacerbating risks and compounding skills shortages, SenseOn research reveals

by Gurus IT SECURITY GURU

  • The majority of large enterprises spend an average of 3-5 months integrating and training teams on each new security solution – at the expense of threat hunting, vulnerability scanning and security awareness training
  • However, major contradictions are rife, with 76% believing more tools equate to better security

Attitudes to cybersecurity within the UK’s largest organisations are highly contradictory and risk exacerbating existing risks, stress, and inefficiency, new research from SenseOn has today revealed. The research which surveyed 250 IT and Security decision makers at UK and Irish companies with more than 250 people – uncovered that the vast majority still subscribe to the belief that ‘the more cybersecurity tools you purchase the more protected you are’, despite new tools taking an average of 2.4 months to adopt, taking away from other critical activity including threat hunting and security awareness training. The study also found that two thirds of respondents from the largest organisations (5,000-10,000 employees) see third party risk as a primary challenge, presenting a further contradiction to the perception that more tools improves security.

This speaks to a security ecosystem where organisations feel compelled to buy tools to feel better protected, only to find themselves concerned about the necessary exposure of having more suppliers and vendors, and with months in cybersecurity limbo, dedicating even more time to adopting the new tools, rather than using them.

The problem of new tools being hailed as a solution to security problems is further compounded by a chronic lack of staff to adopt – and subsequently manage – these tools. At a time when security professionals are already overwhelmed and under-resourced, new tools can place additional demands on already stretched teams.

Corresponding to this narrative, the same poll of security professionals also found that 95% of respondents believe that stress is impacting staff retention in their organisation. When polled on what technologies would reduce this stress, 83% of respondents highlighted ‘tools that use AI to automate security activity’ and 81% opted for security awareness training.

“The research supports something lots of people working in the industry already know: Cybersecurity is broken. Such a large majority of security leaders reporting their companies reliance on tools in place of a security strategy is a huge concern.

David Atkinson, Founder and CEO of SenseOn

Google Cybersecurity Action Team Threat Horizons Report #9 Is Out!

By Anton Chuvakin – Anton on Security

Anton Chuvakin’s highlights from the 9th edition of Google’s Threat Horizons report, including:

  • Credential issues remain the predominant security oversight observed among Google Cloud customers. Over half of incident data shows that threat actors are compromising Cloud instances with weak or no passwords on common remote access protocols, Secure Shell (SSH) and Remote Desktop Protocol (RDP) to gain unauthorized access to Cloud instances. ”
  • “While weak credentials and misconfigurations are often causes for a threat actor’s initial access to cloud environments, other factors, such as weak storage defenses, application vulnerabilities, and third-party issues also led to cloud system compromises, resulting in ransomware and data theft ”

Breaches and hacks

Bank of America warns customers of data breach after vendor hack

By Sergiu Gatlan Bleeping Computer

Bank of America is warning customers of a data breach exposing their personal information after Infosys McCamish Systems (IMS), one of its service providers, was hacked last year.

“On around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications,” the data breach notification says.

On November 4th, the LockBit ransomware gang claimed responsibility for the IMS attack, saying that its operators encrypted over 2,000 systems during the breach.

Infosys entry on LockBit’s leak site (Dark Web Informer)

The LockBit ransomware-as-a-service (RaaS) operation came to light in September 2019 and has since targeted many high-profile organizations, including the UK Royal Mail, the Continental automotive giant, the City of Oakland, and the Italian Internal Revenue Service.


Ongoing Microsoft Azure account hijacking campaign targets executives

By Bill Toulas Bleeping Computer

A phishing campaign detected in late November 2023 has compromised hundreds of user accounts in dozens of Microsoft Azure environments, including those of senior executives.

Hackers target executives’ accounts because they can access confidential corporate information, self-approve fraudulent financial transactions, and access critical systems to use them as a foothold for launching more extensive attacks against the breached organization or its partners.

The attacks employ documents sent to targets that embed links masqueraded as “View document” buttons that take victims to phishing pages.

“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as “Vice President, Operations”, “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted,” explains Proofpoint.

The analysts identified the following Linux user-agent string which attackers use to gain unauthorized access to Microsoft365 apps:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

This user agent has been associated with various post-compromise activities, such as MFA manipulation, data exfiltration, internal and external phishing, financial fraud, and creating obfuscation rules in mailboxes.

See Also: DarkReading


Hyundai Motor Europe hit by Black Basta ransomware attack

By Lawrence Abrams BleepingComputer

Car maker Hyundai Motor Europe suffered a Black Basta ransomware attack, with the threat actors claiming to have stolen three terabytes of corporate data.

Hyundai Motor Europe is Hyundai Motor Company’s European division, headquartered in Germany.

BleepingComputer first learned of the attack in early January, but when we contacted Hyundai, we were told they were just experiencing IT issues.

The Black Basta ransomware gang launched its operation in April 2022 and quickly launched a stream of double-extortion attacks.

By June 2022, Black Basta had partnered with the QBot malware operation (QakBot) to drop Cobalt Strike for remote access on corporate networks. Black Basta would use this access to spread to other devices on the network, steal data, and ultimately encrypt devices.

Black Basta is believed to be an offshoot of the notorious Conti ransomware operation, run by one of the previous Conti leaders.

Since its launch, the threat actors have been responsible for a wide range of attacks, including those against the Toronto LibraryCapitaAmerican Dental AssociationSobeysKnauf, and Yellow Pages Canada.

A report from Corvus Insurance and Elliptic in November 2023 says that Black Basta is believed to have received over $100 million in ransom payments since its launch.


Verizon Breach – Malicious Insider or Innocuous Click?

by Katrielle Soussana IT Security Guru

A household name among American media companies, Verizon Communications on Wednesday began notifying employees that an insider may have gained access to their data. According to the breach notice to the Maine Attorney General, an unauthorized employee opened a file containing sensitive data of 63,206 other employees.

While customers are not believed to have been impacted in this breach, Verizon is warning that the exposed employee data could include Social Security Numbers, National Identifiers, full names, home addresses, DOBs, compensation information, gender, and union affiliations.

The unauthorized employee initially gained access to this document in September 2023, but Verizon did not discover the incident until December, almost 3 months later. At this time, it is unknown what the unauthorized employee may have done with the data, or if they intend to use it for nefarious purposes.


20+ hospitals in Romania hit hard by ransomware attack on IT service provider

By Graham Cluley

Over 20 hospitals in Bucharest have reportedly been impacted by a ransomware attack after cybercriminals targeted an IT service provider. As a consequence medical staff have been forced to use pen-and-paper rather than computer systems.

Romania’s National Cybersecurity Directorate (DNSC) said in a statement that the attackers encrypted hospital data using the Backmydata ransomware – a variant of Phobos.

Misinformation

The toothbrush DDoS attack: How misinformation spreads in the cybersecurity world

By Graham Cluley

Tooth factor authentication couldn’t stop journalists from reporting this nonsense.

Here are a few headlines from the last 24 hours or so, about a supposed smart toothbrush botnet launching a distributed denial-of-service (DDoS) attack:

The story is fiction. Three million smart toothbrushes didn’t launch a DDoS attack against a Swiss company.

If they really had launched the attack, Fortinet’s PR team would surely have been pushing out the news left, right, and centre. But Fortinet’s social media accounts and press release archives are silent.

Fortinet declined to comment to those cybersecurity news outlets or the security researchers that bothered to ask for some details.

UPDATE: Round 3! The toothbrush DDoS attack saga continues: Newspaper counters Fortinet’s translation claim in contentious interview

Cybersecurity in the future! 🔮

Keeper Security Available on Apple Vision Pro

by Guru Writer

Password manager Keeper Security announced this week that users can log in to applications on the new Apple Vision Pro™ with Keeper, providing secure and seamless access to content on the revolutionary new device.

As spatial computing becomes a reality and blends the physical world with virtual experiences, securing this evolving form of computing is critical. Using Keeper with Apple Vision Pro provides the same login experience and autofill capabilities users know from their mobile devices and computers, ensuring secure access to a user’s preferred applications and websites. Once connected to Apple Vision Pro, KeeperFill automatically fills credentials, enhancing the Apple Vision Pro user experience.

Research by Keeper Security earlier this year revealed that new technology being exploited by cybercriminals is a concern for business leaders. With cybersecurity solutions readily available on the latest devices, like the Apple Vision Pro, and with adequate cyber precautions, this risk can be reduced. The fundamentals of cyber still apply to new tech.

Author

Cybersecurity News

More like this

Blog

Transforming Threat Intelligence: Nagomi Security and CrowdStrike Unite for Next-Level Defense

FacebookLinkedInTweetEmail According to Gartner, through 2028, more than 60% of security incidents will be traced to ...

Read the post: Transforming Threat Intelligence: Nagomi Security and CrowdStrike Unite for Next-Level Defense

Blog

Prioritizing MITRE ATT&CK Techniques for Remote Services

FacebookLinkedInTweetEmail The fifth, and final, in a five part series exploring how security teams can identify ...

Read the post: Prioritizing MITRE ATT&CK Techniques for Remote Services

Blog

Announcing the New “Threats in the News” Feature in Nagomi – Adding Context to Operationalize End-to-End Exposure Management

FacebookLinkedInTweetEmail Nagomi’s new “Threats in the News” feature is transforming the way cybersecurity teams manage and ...

Read the post: Announcing the New “Threats in the News” Feature in Nagomi – Adding Context to Operationalize End-to-End Exposure Management