Microsoft resolves vulnerability following criticism from Tenable CEO
Microsoft has now resolved the Azure AD vulnerability. Amit Yoran, CEO of cybersecurity firm Tenable, published a “scathing LinkedIn post” criticizing Microsoft for its handling of the vulnerability. A researcher at Tenable discovered an issue on March 30, and Microsoft apparently “waited months to get back to Tenable before claiming the issue was fixed on July 6,” yet upon further investigation, Tenable discovered that the fix was “incomplete and was still exploitable.” The full account of this exchange plus a link to Amit Yoran’s LinkedIn post is available in the shownotes to this episode.
(The Record and LinkedIn)
FBI investigating ransomware attack crippling hospitals across four states
A major multi-state hospital network is experiencing network outages due to a cyberattack, which has been confirmed by the FBI as ransomware. Prospect Medical Holdings operates 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island as well as a network of 166 outpatient clinics and centers. The issues started on Thursday, forcing member hospitals “to divert patients to other facilities and cease operation.” In a statement to Recorded Future News, the FBI said it is “investigating the ransomware attacks but said they are unable to provide more information because it is an ongoing investigation.” No ransomware gang has claimed the attack.
New acoustic attack steals data from keystrokes with 95% accuracy
Researchers from universities in the UK have trained a deep learning model that can “steal data from keyboard keystrokes recorded using a microphone with an accuracy of 95%.” When they used Zoom for the sound classification algorithm, the prediction accuracy dropped to 93%, which is still considered dangerously high. According to Bleeping Computer, “the first step of the attack is to record keystrokes on the target’s keyboard, as that data is required for training the prediction algorithm. This can be achieved via a nearby microphone or the target’s phone that might have been infected by malware that has access to its microphone. Alternatively, keystrokes can be recorded through a Zoom call where a rogue meeting participant makes correlations between messages typed by the target and their sound recording.” To train the algorithms, the researchers gathered data by pressing keys on a MacBook Pro 25 times each and recording the sound produced by each press.
BlueCharlie changes attack infrastructure in response to reports on its activity
The APT group also known as aka Blue Callisto, TA446 and a number of other names, primarily targets NATO countries, and focuses operations on “defense and intelligence consulting companies, non-governmental organizations (NGOs) intergovernmental organizations (IGOs), think tanks, and higher education.” The essence of the infrastructure change is the domains from which it operates, which now have more techno or crypto branding such as cloudrootstorage[.]com, directexpressgateway[.]com, storagecryptogate[.]com.
Thanks to this week’s episode sponsor, Conveyor
Burger King in France leaves credentials exposed, again
Recently, Cybernews revealed that Burger King operations in France exposed sensitive public credentials via a misconfiguration on their website. Since the affected website processed job applications, the leaked credentials could have served as a tool to craft a cyberattack against the chain’s systems, or against people who sought employment at Burger King restaurants in France. The company has since fixed the issue. In 2019, due to a similar misconfiguration, the France branch of BK “reportedly leaked personally identifiable information (PII) of children who bought Burger King menus.”
Hawaii’s Gemini North observatory suspended after cyberattack
The National Science Foundation’s (NSF) National Optical-Infrared Astronomy Research Laboratory is the US center for ground-based optical-infrared astronomy. It recently detected an attempted cyberattack on its computer systems, which required the lab to suspend its observations at Gemini North, located in Hawaii. The Gemini Observatory and is part of an international science partnership between various countries, including the US, Canada, and Chile; its the other telescope — Gemini South — is located in Chile. Both telescopes have been shut down to allow the IT team to be able to investigate what occurred in the incident, which is unclear at this time.
Last week in ransomware
VMware ESXi servers continued to be the target of ransomware gangs last week, with “almost every active ransomware gang creating custom Linux encryptors for this purpose.” Other ransomware operations with ESXi encryptors include Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.
Ransomware related research released last week included a report from Dragos on ransomware’s impact on industrial organizations and infrastructure, a study from the UK’s Royal United Services Institute on the role of cyber insurance in addressing the threats posed by ransomware, three reports from intelligence firm KELA on Qilin, the new Knight 2.0 RaaS, and Akira, and a report on GitHub describing a tool to exploit DLL hijacking flaws in ransomware to prevent encryption.
In addition to the US hospital attacks just mentioned, Argentina’s Comprehensive Medical Care Program (PAMI) suffered a ransomware attack that impacted its operations. Links to the reports mentioned in this story are also available in the shownotes to this episode.