Cloudflare announces nation-state level breach
Cloudflare has stated that it was the target of a likely nation-state attack which involved the theft of credentials, and which occurred between November 14 and 24. The attackers spent four days viewing Atlassian Confluence and Jira portals, and then created a rogue Atlassian user account to ultimately obtain access to the Bitbucket source code management system. Seventy-six repositories are estimated to have been exfiltrated by the attacker. The attack was made possible by using one access token and three service account credentials associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet, that were stolen following the October 2023 hack of Okta’s support case management system. Cloudflare acknowledged that it had failed to rotate these credentials, mistakenly assuming they were unused.
AnyDesk says hackers breached production servers, reset passwords
The remote access application AnyDesk has confirmed a cyberattack that exposed its production systems, and which resulted in the theft of source code and signing keys. No details about theft of other data were revealed, but representatives from AnyDesk did confirm that ransomware was not involved. The company “revoked security-related certificates and remediated or replaced systems as necessary. They also reassured customers that AnyDesk was safe to use and that there was no evidence of end-user devices being affected by the incident.”
Chicago children’s hospital announces cyberattack
Officials at Lurie Children’s Hospital, one of the largest children’s healthcare organizations in the Midwest, serving 239,000 children each year, was forced to take its entire network offline on Thursday. This follows a similar incident at Saint Anthony Hospital on Chicago’s west side on December 18, however in this case, no ransomware group has stepped forward to make a claim, and the hospital has not made a statement about this being a ransomware attack. Lurie officials have emphasized that the hospital remained open during the attack and continues to provide care.
New leadership at U.S. Cyber Command and the National Security Agency
Air Force Gen. Timothy Haugh has now taken over command of these two agencies, previously overseen by Army Gen. Paul Nakasone. After receiving high commendations for his leadership. General Nakasone then recognized General Haugh as the “perfect person” for the job. Gen. Haugh, most recently served as Cyber Command’s No. 2 and the head of the Air Force’s digital and information warfare branch. He has also served in numerous senior roles at Cyber Command.
Huge thanks to this week’s episode sponsor, Vanta
Spoutible suffers data theft
The social media platform which is one of the many seeking to replace X, formerly known as Twitter, announced the theft after having been alerted by HaveIBeenPwned founder Troy Hunt. An announcement was made by Spoutible founder Christopher Bouzy that points to a vulnerability in the Spoutible system that was inadvertently introduced in a recent update. In a statement Bouzy said, “an unnamed individual exploited the vulnerability to scrape limited personal data from our users, […] this vulnerability did not involve direct access to our databases….decrypted passwords and direct messages were not disclosed.”
Mastodon warns of account takeover flaw
Tracked as CVE-2024-23832 (CVSS score 9.4), this flaw would allow threat actors to impersonate and take over any account in the Mastodon decentralized network. The company stated in an advisory that the problem is caused by insufficient origin validation. Mastodon will release technical details about the vulnerability after February 15, in order to update their server instances without revealing details that could prompt massive exploitation in the wild. The versions affected are listed in the show notes to this episode. The issue impacts Mastodon version prior to 3.5.17, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
(Security Affairs and Mastodon advisory)
Civilians in Jordan infected by NSO’s Pegasus spyware
A joint report released by digital rights association Access Now and Toronto-based cybersecurity association Citizen Lab, says that “the phones of some three dozen journalists, human rights advocates and lawyers in Jordan were infected with Pegasus spyware.” According to The Record, “While the report suggests the Jordan authorities are behind the campaign, the authors stop short of saying so directly.” The Record goes on to note that a previous Citizen Lab report had confirmed that two organizations in Jordan were Pegasus spyware customers. Pegasus is a form of zero-click spyware meaning victims do not click on anything to be infected.
Finance worker pays out $25 million after video call with deepfaked CFO
An employee of an unnamed Hong Kong based multinational firm wired $25 million to cybercriminals who had used deepfake technology to impersonate all the members of a company video conference call. Initially the unnamed employee had grown suspicious after receiving a message from the CFO which mentioned a “secret” transaction that had to be carried out. However, when the employee saw a group of people on the call with the CFO, it became convincing enough to carry out the transaction. However, all of those people were also fake.
(CNN)