This week’s Cyber Security Headlines – Week in Review, July 24-28, is hosted by Rich Stroffolino with guest, TC Niedzialkowski, CISO, Nextdoor
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Microsoft key stolen by Chinese hackers provided access far beyond Outlook
The private encryption key used by Chinese hackers to break into the email accounts of high-level U.S. government officials disclosed last week also gave them access to a vast array of other Microsoft products, according to new research from cloud security firm Wiz. In a blog post published Friday, Shir Tamari, head of research at Wiz, said further investigation has revealed the compromised key would have given the hacking group, which Microsoft calls Storm-0558, access to far more than Outlook, spanning many other Microsoft services that use the same authentication process, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the login with Microsoft functionality, and multi-tenant applications in certain conditions. Tamari wrote.Microsoft revoked the affected key, Wiz warned that a sophisticated APT could have used the access and time to build in backdoors or other forms of persistence into victim systems and accounts. Further, any applications that rely on local certificate stores or cached keys may still be using the corrupted key and would be vulnerable to continued exploitation. A link to the Wiz blog is included in the shownotes to this episode.
(SCMagazine and Wiz)
Millions affected by data breach at US government contractor Maximus
U.S. government services contractor Maximus has disclosed a data breach warning that hackers stole the personal data of between 8 million and 11 million people during the recent MOVEit Transfer data-theft attacks. Maximus is a contractor that manages and administers US government-sponsored programs, including federal and local healthcare programs and student loan servicing. The company also has a presence in the U.S., Canada, Australia, and the United Kingdom. Maximus has found no indication that the hackers progressed further than the MOVEit environment, which was immediately isolated from the rest of the corporate network. The Clop ransomware gang added Maximus to its dark web data leak site yesterday as part of a big catch of 70 new victims, all having been breached using the MOVEit zero-day flaw.
Clop moves leaked data to clearweb sites
Like many threat groups, typically the Clop ransomware organization publishes leak data on their own dedicated sites on the Tor network. This data is technically public, but isn’t listed on a search index and only accessible with a Tor browser with slower download speeds. Now the Clop group began publishing leaked data from the MOVEit attacks directly on Internet-accessible sites. This isn’t an original move, the ALPHV ransomware group started doing this last year. These sites are specific for each victim, designed to ratchet up pressure on the firms to pay a ransom. These do show less sophistication compared to ALPHV’s sites, which included a search functionality. So far, Clop just provides links to download data dumps.
Cost of data breaches up 15%
That finding comes from IBM Security’s Cost of a Data Breach Report, which looked at global organizations from March 2022 through March 2023. The overall cost of a data breach jumped 15% over the last three years to an average of $4.45 million. Within that costs, detection and escalation costs increased 42% in that period, showing a shift to more sophisticated breach investigations. Organizations not disclosing ransomware-related data breaches to law enforcement saw breach lifecycles take up 33 more days than average, with an additional $470,000 cost. 57% of organizations that experienced a data breach planned to pass this cost off to consumers, while 51% planned to increase security investments.
Thanks to today’s episode sponsor, AppOmni
Government cyber attacks rely on valid credentials
According to a new report from the Cybersecurity and Infrastructure Security Agency found that threat actors used valid credentials in 54% of attacks against federal civilian agencies in 2022. Spearphishing proved the second most popular, used in 33% of incidents. The report looked at 121 Risk and Vulnerability Assessments. CISA also found threat actors saw the most success using common phishing and default credential methods. The report noted that these attacks didn’t show a particular amount of creativity, largely keeping to the same methods seen in past government breaches.
SEC to require incident disclosure
On Wednesday the Securities and Exchange Commission approved new rules to require organizations to disclose “material” cybersecurity incidents to the regulator within four business days. The US Attorney General can delay public disclosure of incidents if it would threaten public safety or national security. The rules would also require companies to annually share risk management, cybersecurity strategy, and governance policies. This applies to domestic businesses and those doing business in the US. The new rules come into effect in December, although smaller companies will have an additional 180 to come into compliance.
Two severe Linux vulnerabilities impact 40% of Ubuntu users
Cybersecurity researchers at Wiz have disclosed two high-severity security flaws in the Ubuntu kernel that could pave the way for local privilege escalation attacks, and which have the potential to impact 40% of Ubuntu users. The vulnerabilities – tracked as CVE-2023-32629 and 2023-2640 and dubbed GameOver(lay) – are present in a module called OverlayFS and arise as a result of inadequate permissions checks in certain scenarios, enabling a local attacker to gain elevated privileges. Wiz security researchers Sagi Tzadik and Shir Tamari said, “the impacted Ubuntu versions are prevalent in the cloud as they serve as the default operating systems for multiple [cloud service providers].”
China accuses U.S. of hacking earthquake monitoring equipment
China’s state-controlled newspaper The Global Times reported on Wednesday that “hacker groups and lawbreakers with governmental backgrounds” from the United States were suspected of compromising network equipment at an earthquake monitoring station in Wuhan. “According to the public security bureau, this Trojan horse program can illegally control and steal seismic intensity data collected by the front-end stations. This act poses a serious threat to national security,” the paper reported. The newspaper cited unnamed security experts who suggested the data was relevant when constructing military defense facilities.
Vulnerability found in TETRA encryption
Three Dutch security researchers from the firm Midnight Blue discovered severe flaws in the encryption algorithms for TETRA, a European radio standard used for critical voice and data radio communications. One flaw in syncing and keystream generation impacted all algorithms. This could let someone potentially monitor and send commands to critical infrastructure. They also found TETRA’s TEA1 algorithm, which uses 80-bits regularly, but also featured a mode that reduces its key to 32-bits. They cracked that reduced key in less than a minute on a consumer laptop. TETRA has been in use since the 90s but up until now its encryption algorithms remained secret. The researchers discovered the flaws in 2021, but agreed to wait to disclose findings through the Dutch National Cyber Security Center until patchable issues could be fixed. The researchers will present a full technical overview at BlackHat.
(Wired)