This week’s Cyber Security Headlines – Week in Review, July 17-21, is hosted by Rich Stroffolino with our guest, Dimitri van Zantvliet, CISO, Dutch Railways – they are hiring, by the way! Visit https://www.werkenbijns.nl/vacatures to learn more.
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Russia-linked Gamaredon starts stealing data 30 to 50 minutes after initial compromise
Ukraine’s Computer Emergency Response Team is warning that the Russia-linked APT group Gamaredon (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa) is able to steal data from victims’ networks in less than an hour after the initial compromise. The group often uses spear-phishing and social engineering emails and messages (Telegram, WhatsApp, Signal) as an initial attack vector, using accounts that have been previously compromised.
New AI tool – WormGPT allows for sophisticated cyber attacks
According to findings from SlashNext, WormGPT has been advertised on underground forums as a way for adversaries to create highly convincing fake emails, personalized to the recipient, thus increasing the chances of success for the attack.” Despite anti-abuse protocols put in place by OpenAI and and Google’s Bard, a report from CheckPoint last week described how “Bard’s anti-abuse restrictors in the realm of cybersecurity are significantly lower compared to those of ChatGPT,” making it the current tool of choice for such activities. SlashNext security researcher Daniel Kelley added, in his company’s report, that threat actors are promoting “jailbreaks” for ChatGPT, engineering specialized prompts and inputs that are designed to manipulate the tool into generating output that could involve disclosing sensitive information, producing inappropriate content, and executing harmful code.
Microsoft still unsure how hackers stole Azure AD signing key
Following up last week’s email breach story, an inactive Microsoft account (MSA) consumer signing key was allegedly used by Chinese hackers to breach the Exchange Online and Azure AD accounts of two dozen organizations, including government agencies. The threat actors used the stolen Azure AD enterprise signing key to forge new auth tokens by exploiting a GetAccessTokenForResource API flaw, providing them access to the targets’ enterprise mail. Microsoft stated, “the method by which the actor acquired the key is a matter of ongoing investigation,” Microsoft admitted in a new advisory published Friday.
JumpCloud breached by APT
Last week, we reported that the enterprise software company JumpCloud reset all customer API keys, in what it referred to as an “ongoing incident.” Now the company disclosed a a state-backing threat group breached its systems. It discovered an incident on June 27th, finding the attackers gained access a week prior with a spear-phishing attack. The company discovered “unusual activity in the commands framework for a small set of customers” but said it found no evidence the attack impacted any customers. JumpCloud released indicators of compromise from the incident to better allow partners to secure its network.
Thanks to today’s episode sponsor, OpenVPN
Typos leaking military emails
A new report from the Financial Times found that a common domain typo has implications for the US military. That’s because the .mil domain used by the US military often gets typed in as .ml, the country code domain .ml for the West African country Mali. This isn’t theoretical either. Speaking to FT, a Dutch entrepreneur managing the domain, Johannes Zuurbier, set up a system to catch misdirected military emails to .ml addresses. Since January this captured over 117,000 emails, with emails including sensitive medical records, identity documents, military base photos, military itineraries and more. Zuurbier’s contract to manage the domain expired this week, so Mali officials could access misdirected emails going forward.
US government launches IoT security labeling program
The Biden administration has launched its long-awaited “U.S. Cyber Trust Mark” program which aims to protect Americans from security risks associated with Internet of Things (IoT) devices. The criteria for the voluntary Energy Star-influenced labeling system were established by the National Institute of Standards and Technology (NIST). So far, the standard calls for strong and unique default passwords, protections for data at rest and in transit, providing regular security updates and having built in incident detection capabilities. The Cyber Trust Mark labeling system will take the form of a distinct shield logo, which will appear on products that meet established cybersecurity criteria. The full list of standards are planned for completion by the end of 2023 and for launch in 2024.
Renewable technologies could pose risk to US electric grid
At a congressional hearing on Tuesday, former Assistant Secretary of Defense, Paul Stockton, warned that inverters that underpin solar and wind energy storage systems present potential hacking risks. Inverters convert direct current (DC) electricity generated by solar panels to alternating currents (AC) used by the electric grid. Stockton said inverters are a major point of weakness since the equipment is digitally native and because China is a major manufacturer of many of those devices. While inverters currently only account for roughly 14% of total electricity generation, the threat vector is expected to expand in the coming years. Stockton said securing inverters presents, “an opportunity to transition to a stronger resilience strategy to defend the grid.“
Complex DDoS attacks on the rise
According to a new report from Cloudflare, the number of DDoS requests in Q2 increased 15% on the quarter to 5.4 trillion, but fell 35% on the year. The complexity and length of these attacks saw a bigger jump, with attacks exceeding three hours increasing 103% on the quarter. When digging into specific industries, a much larger spike becomes visible. Cryptocurrency companies saw a 600% increase in DDoS attacks on the year, with gaming and gambling industries also seeing increased attacks. Cloudflare also noted the rise in virtual machine botnets in DDoS attacks, rather than using infected smart devices. These can use a much smaller number of infected devices to launch powerful attacks..