Russian hackers breach Microsoft executive emails to learn about themselves
Microsoft has revealed that between November and January 12, the APT group known as Midnight Blizzard, Nobelium, APT 29 and Cozy Bear “used a password spray attack to compromise a legacy non-production test tenant account,” and from there accessed a small number of corporate accounts. The mission appeared to be to find out more about what Microsoft itself knew about the APT group. Microsoft has stated they have seen “no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.” This group is famous for allegedly hacking SolarWinds in 2020.
JPMorgan Chase says hacking attempts are increasing
Speaking to the World Economic Forum in Davos, the head of JPMorgan Chase’s asset and wealth management division, Mary Callahan Erdoes, stated how her organization had seen “a sizable increase in attempts by hackers each day to infiltrate its systems over the last year.” As the largest US bank by assets, JPMorgan Chase “now invests $15 billion a year and employs 62,000 technologists to, in part, help fortify its defense against cybercrimes,” she said. CNN adds, “Banks across the United States and Europe have reported a surge in cyber-attacks over the past few years. Some of that increase has been blamed on Russian actors in retaliation for sanctions put on the country after its invasion of Ukraine. The rapid acceleration of artificial intelligence has also led to more complex attacks.”
(CNN)
TeamViewer still being abused to breach networks in new ransomware attacks
According to security firm Huntress, the popular remote access tool TeamViewer is still being used by ransomware actors to break into the endpoints of organizations to deploy encryptors. Bleeping Computer points out that the techniques have not changed much since a 2016 attack in which the Surprise ransomware was successfully deployed after threat actors used a credential stuffing attack. TeamViewer, in a statement, reminded customers and the media that, most instances of unauthorized access involve a weakening of TeamViewer’s default security settings through the use of easily guessable passwords which is only possible by using an outdated version of their product. The company stresses the need for complex passwords, two-factor authentication, allow-lists, and regular software updates.
(Bleeping Computer and Huntress)
Pompompurin gets 20 years supervised release
Following up on a story we have been covering for a while now, Conor Fitzpatrick, the admin of the BreachForums hacking forum, also known as Pompompurin, has been sentenced to 20 years supervised release in response to his guilty plea to the counts of conspiracy to commit access device fraud, solicitation for the purpose of offering access devices, and possession of child pornography. During the first year of home confinement, Fitzpatrick will be restricted from accessing the internet and is required to register with state sex offender registries. Fitzpatrick has also been ordered to pay restitution for the losses incurred by the victims, with the specific amount yet to be decided.
Huge thanks to this week’s episode sponsor, Conveyor
Conveyor AI’s can now use your uploaded security documents to auto-generate precise answers to entire questionnaires.
The software one of our customers dubbed “my favorite security tool of the year” in 2023 has gotten even better and it takes just minutes to get started.
Try a free proof of concept at www.conveyor.com.
Payoneer’s phishing attack leaves questions
The global payments processing company Payoneer suffered a serious attack on customers’ accounts in Argentina, which resulted in many seeing their accounts drained. The attack started as a standard phishing campaign with users of the service receiving password reset requests via text message. But according to The Record, “even those who did not click on the links in the text or approve the password reset said they opened their account to either find themselves locked out or to see their money gone.” A spokesperson for Payoneer stated “unfortunately, some customers clicked on these fake links and shared their account login information with fraudsters or encountered newer modes of fraud that compromised their mobile phones,” however the spokesperson “did not respond to requests for comment about what victims are supposed to do now that their funds are gone, and it is still unclear how the hackers were able to bypass several layers of security to conduct the attacks.”
Senators ask DOJ to investigate facial recognition technology
A group of 18 senators led by Senate Judiciary Committee Chair Dick Durbin have communicated with the Department of Justice, raising concerns about “the agency’s funding and oversight of what they called ‘frequently inaccurate’ facial recognition software.” This inquiry is based on evidence that facial recognition technology more commonly misidentifies Black people than white people. Specifically, they say the technology may “potentially violate Title VI of the Civil Rights Act of 1964, which prohibits ‘discrimination under any program or activity receiving Federal financial assistance’ based on ‘race, color, or national origin,’”.
WasabiSeed & Screenshotter Malware distributed through bogus invoices
This activity is being attributed to a threat actor known as TA866. The campaign was identified and blocked by Proofpoint on January 11, and involves thousands of invoice-themed emails with PDF file attachments. Proopfpoint’s report stated, “the PDFs contained OneDrive URLs that, if clicked, initiated a multi-step infection chain eventually leading to the malware payload, a variant of the WasabiSeed and Screenshotter custom toolset,” the enterprise security firm said. According to The Hacker News, there is evidence to suggest that the organized actor may be financially motivated owing to the fact that Screenshotter acts as a recon tool to identify high-value targets for post-exploitation.
Ransomed schools reveal a hidden cost of ransomware: mold
One of the lesser discussed but still serious outcomes of a ransomware attack was revealed last month when the Pawtucketville Memorial Elementary School of Lowell, MA, released its indoor air quality assessment, prepared by the Massachusetts Department of Public Health. Mold growth in the elementary school caused a delay in its opening due to “conditions that appear to have to have been brought on this past summer by a combination of lack of heating, ventilation, and air conditioning (HVAC) system controls, due to a cyberattack of the City of Lowell’s computer systems.” This is just one of a number of schools that have suffered structural and environmental damage due to ransomware. Others, including in a school district in Ohio were forced to cancel classes due to a TrickBot infection that required the re-imaging of 1,000 computers and laptops.
(Lowell, MA and ZDNet)