Israel’s largest oil refinery website goes offline amid cyber attack claims
The website of Israel’s largest oil refinery operator, BAZAN Group, became inaccessible to most parts of the world on Sunday due to a potential cyber attack. The website remained accessible from within Israel, possibly after imposition of a geo-block by BAZAN in an attempt to thwart an ongoing cyber attack. In a Telegram channel, Iranian hacktivist group Cyber Avengers has claimed responsibility and leaked what appear to be screenshots of BAZAN’s SCADA systems. The group states that it breached the petrochemicals giant via an exploit targeting a Check Point firewall at the company.
TSA renews cybersecurity guidelines for pipelines
On Thursday, the Transportation Security Administration renewed regulations for the operators of hazardous liquid and natural gas pipelines as well as liquefied natural gas facilities. This follows security directives first issued in 2021 following the Colonial Pipeline ransomware attack, and then reissued them in May 2022. The renewed guidelines close loopholes in the regulations and provide operators with increased flexibility in terms of how they protect their sites. “Operators must confirm to TSA that they have instituted a range of cybersecurity measures, including an incident response plan, the creation of a cybersecurity coordinator position, vulnerability scans, and network segmentation.”
CISA, Australia warn of IDOR vulnerabilities after major breaches
These warning relate to vulnerabilities that allow hackers to “change or delete data by using the identities of users allowed to access the information.” CISA and the Australian Cyber Security Centre stated in an advisory released last week that these insecure direct object reference (IDOR) vulnerabilities, involve hackers issuing requests to websites or APIs that do not require authentication or that do not properly check the authentication or authorization of the user submitting the request. Multiple security incidents have already involved IDOR vulnerabilities, including “a situation affecting a payment plugin for WordPress sites, U.S. electronics giant Eaton, Microsoft Teams, AT&T, and First American Financial.”
Apple rejects new name ‘X’ for Twitter iOS app
This week, Google Play and Apple’s App Store released updated versions of the Twitter app, now bearing the ‘X’ logo, and in the case of Android, its new name, X. This even though the underlying (APK) ID remains com.twitter.android internally. The Apple App store, however, cannot – or will not – rename the app to ‘X’ on account of the name having too few characters. As data scientist and Next founder, Nick Sheriff stated, “Apple does not permit any app to have a single character as their app name.” While iOS app names “can be up to 30 characters long,” they must be at least 2 characters in length.
Thanks to this week’s episode sponsor, Opal
President Biden nominates veteran national security official as top cyber adviser
Harry Coker, a long-time CIA and National Security Agency official, has been tapped to serve as the next national cyber director. Coker’s replaces Chris Inglis, who led the Office of the National Cyber Director until February. There was opposition though, with leading voices on Capitol Hill urged Biden to nominate Inglis’s deputy, Kemba Walden, who has been serving as the acting director. The White House declined to offer Walden the permanent position — “reportedly out of concern that her significant financial debts might hinder her confirmation before the Senate.”
CISA warns about SUBMARINE Backdoor employed in Barracuda ESG attacks
The malware variant, tracked as SUBMARINE Backdoor was employed in attacks exploiting the flaw CVE-2023-2868 that resides in the module for email attachment screening in Barracuda Email Security Gateway (ESG) appliances. CISA states, “SUBMARINE is a novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance.” They warn that the backdoor can be used by attackers for lateral movement.
Hackers abuse Windows search feature to install remote access trojans
Unknown threat actors are abusing a Windows search to compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. According to Trellix, “the technique takes advantage of the “search-ms:” URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the “search:” application protocol, a mechanism for calling the desktop search application on Windows.” Threat actors have been creating deceptive emails that embed hyperlinks or HTML attachments containing a URL that redirects users to compromised websites.
Last week in ransomware
Ransomware gangs are compensating for declining ransomware payments by pressuring victims, using clearweb sites to leak data stolen during the MOVEit Transfer attacks. The Clop and BlackCat/ALPHV ransomware gangs have been using this technique which makes it easier to access the stolen data and could allow search engines to index the data and make it more readily available, further applying pressure on victims to have it removed. Last week also saw BlackCat, introduce a new data leak API that makes it easy to grab the latest information on who is listed on their data leak site. Sophos released new research on the new Nitrogen initial access malware used by BlackCat. A MOVEit breach at US government supplier Maximus exposed the data of up to 11 million people, an attack at Yamaha was claimed by both Akira and Black Byte, and Hawai’i Community College paid a ransom to prevent the leak of data.