Ivanti VPN hit by zero-days
The US software company confirmed threat actors began exploiting two zero-days in its Ivanti Connect Secure software, impacting its corporate VPN service. Ivanti said this impacted “less than 10 customers.” However the cybersecurity company Volexity said one of its clients found China-linked threat actors chaining two Connect Secure vulnerabilities to execute code as early as December 3rd. Ivanti said it will start rolling out patches on the week of January 22nd. Security research Kevin Beaumont reports we’ll likely see more victims, with over 15,000 impacted Ivanti appliances online.
Akira targeting backups
The Finish National Cybersecurity Center announced it found evidence of increased ransomware activity by the Akira threat group starting last month, accounting for 85% of reported ransomware incidents in December. The agency said it found evidence Akira specifically targeted NAS devices and tape backups to cause further damage. This strategy seemed focused on smaller organizations. It recommends organizations utilize offline backups.
Sensitive school data accidentally exposed online
Security researcher Jeremiah Fowler discovered a cache of 800 gigabytes exposed online, detailing thousands of emergency planning documents from US schools. These files and logs came from the school software provider Raptor Technologies, which claims over 5,300 US school districts use its software. The exposed documents include evacuation plans for active shooter situations, medical records, court documents involving students, as well as personal information on staff and students. Fowler contacted Raptor, which quickly secured the buckets. A Raptor spokesperson said it found no indications anyone other than Fowler accessed the exposed data.
(Wired)
New details and developments with high profile X account hacks
The security firm Mandiant published details of its investigation into it’s recent X account takeover. It said all indications show it as a brute force password attack carried out by a drainer-as-a-service group. Mandiant noted it failed to use 2FA on the account, which would have prevented the incident.
In related news, the House Financial Services Committee sent a letter to SEC Chairman Gary Gensler calling on the commission to brief it on its X account hack by January 17th. Like Mandiant, the SEC also didn’t enable 2FA. The committee referenced the SEC’s new cyber disclosure rules, saying it expects it “to hold itsenlf to the same requirements.”
(Security Affairs, The Record)
Huge thanks to our sponsor, Vanta
Vanta is the leading Trust Management Platform that helps you centralize your efforts to establish trust and enable growth across your organization.
Over 6,000 companies partner with Vanta to automate compliance, strengthen security posture, streamline security reviews, and reduce third-party risk.
To see Vanta’s platform firsthand and access resources plus a special offer, go to vanta.com/ciso and watch their 3-minute product demo.
Google Cloud upends egress fees
For as long as people have moved to the cloud, they’ve also complained about how hard it is to leave it. AWS, Azure, and Google Cloud all maintained hefty egress fees that often made cloud migrations difficult if not fiscally impossible. Now Google Cloud plans to upend this model, announcing its eliminating fees for leaving to another service. Google VP Amit Zavery said switching fees account for only 2% of a total migration cost. Still it made the move ahead of antitrust investigations in both the US and UK around cloud provider business practices.
Kenya issues new personal data guidance
While it doesn’t get as much attention as GDPR, Kenya passed its Data Protection Act back in 2019. It previously issued guidance on how the law applies to consent to share personal data, elections, data controllers, and how organizations can perform Data Protection Impact Assessments. With enforcement of the law picking up, Kenya’s Office of the Data Protection Commissioner issued new guidance on how the law applies to education, communications, credit, and processing health data. This comes after the ODPC fined a school over $30,000 for publishing pictures of children without parental consent.
Canadian critical infrastructure will have to make the grade
The company SecurityScorecard generates letter grades for organizations to reflect their state of cyber resilience using publicly available information. The Canadian Centre for Cyber Security partnered with the organization to provide an “outside-in view” of cyber preparedness to identify critical infrastructure providers most at risk of experiencing a cyber incident. The CCCS hopes these grades will help identify systemic issues across critical infrastructure, as well as provide an easier way to give tailored guidance.
GitHub abuse on the rise
A new report from Recorded Future documented how threat actors use GitHub as part of a “living-off-trusted-sites” strategy. This can allow them to blend in with otherwise legitimate traffic to get around network defenses. Threat actors generally don’t run full-fledged C2 servers on GitHub. But do commonly use it as a dead drop resolver, essentially using a repository to point to a C2 URL. Threat actors also use the service for payload delivery. But rarely as a data exfiltration target due to file size restrictions. GitHub isn’t the only legitimate service hosting threat actors activity. We’ve recently covered attacks using Dropbox, Google Drive, and Discord as infrastructure as well.