This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Ray Espinoza, vp of information security, Elite Technology
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
City of Baltimore gets socially engineered to the tune of $1.5 million
The City of Baltimore admits it has fallen victim to a con in which an individual “spoofed a vendor and tricked city employees into changing the contractor’s bank account information,” according to the city’s inspector general Isabel Mercedes Cumming, who also said “the city’s accounts payable department had failed to implement corrective measures after previous incidents of fraud and did not have proper protections in place to verify supplier details.” The fraudster relieved the city of $1.5 million in two payments, only one of which has been successfully recovered.
Ransomware gang takedowns create more smaller gangs
Cybersecurity observers are warning that the success that law enforcement agencies globally have enjoyed in taking down large operations such as LockBit, BlackCat/AlphV and Hive; the results – which have focused largely on impounding or destroying the gangs’ infrastructures, but not arresting the operators, has allowed the gang members to reform in greater variety. MalwareBytes tracked 60 new ransomware gangs operating this year. Researchers are attributing this growth to “a mix of domain experience, commoditized malware, and abundant AI, [which is] is lowering the barrier to entry.”
LegalPwn technique hides LLMs prompts inside contract legalese
Researchers at security firm Pangea are warning of another creative way to jailbreak LLMs, empowering them with instructions that can be used to exploit vulnerabilities and circumvent cybersecurity practices. This one focuses on the inability of many LLMs to distinguish between instructions in their users’ prompt and those hidden inside ingested data. We have already seen this with threat actors hiding prompts inside online calendars and inline comments inside documents, but now they are also being inserted inside the large paragraphs of legalese in contracts, carefully written to not raise suspicions among human readers. Not all LLMs are fooled, but the most popular and heavily used ones do succumb to the prompts more readily.
SaaS company Workiva discloses data breach
Representatives of the company state that attackers gained access to a third-party customer relationship management (CRM) system and stole some of their data. Workiva’s customer list contains some big names including Google, T-Mobile, Delta, Wayfair, Hershey, Slack, Santander, Nokia, Kraft Heinz, Wendy’s, Paramount, Air France, KLM, Mercedes-Benz, and more. According to BleepingComputer, “threat actors exfiltrated a limited set of business contact information, including names, email addresses, phone numbers, and support ticket content.” BleepingComputer has learned that this incident was “part of the recent wave of Salesforce data breaches linked to the ShinyHunters extortion group that impacted many high-profile companies.”(BleepingComputer)
Huge thanks to our sponsor, ThreatLocker
SAP invests in sovereign cloud infrastructure in Europe
The global enterprise software giant headquartered in Germany says it will invest €20 billion into “expanding sovereign cloud infrastructure in Europe over the next ten years, pitching itself as a secure and compliant alternative to American cloud giants.” This move is intended to help provide sovereign infrastructure for the public sector and regulated environments, however, some within the organization, including CEO Christian Klein disagree with the initiative, favoring a focus on using AI to improve manufacturing and other processes for its customers.
Cephalus ransomware spoofs SentinelOne as attack vector
A new ransomware named Cephalus is casting its spear at law firms, financial services, healthcare organizations, architectural practices, municipalities, IT firms, and marketing agencies in the U.S. and Japan. Cephalus breaks in by leveraging Remote Desktop Protocol (RDP) accounts that have not been secured with multi-factor authentication (MFA). According to a report from security firm Huntress, the malware “drops a real program executable from security firm SentinelOne into a computer’s Downloads folder. This is then tricked into sideloading a malicious DLL that runs the ransomware code. Cephalus will also delete Windows Shadow Copy files, which companies often turn to for recovery of their data, and also disables Windows Defender.
(Fortra)
‘2.5 billion Gmail users at risk’? Entirely false, says Google
Google dismissed claims that 2.5 billion Gmail users were at risk from a major attack, calling them “entirely false.” The rumors seems to have stemmed from a Salesforce-related breach tied to ShinyHunters, which led to phishing and vishing attacks, but Google says Gmail itself was never compromised, adding that its protections block 99.9% of such threats and urged users to remain vigilant against scams.
(ZDNet)
Hexstrike AI exploits 0-day flaws
HexStrike AI, an AI driven offensive security framework meant for red teams, has been leveraged by threat actors to exploit newly disclosed vulnerabilities at high speed, sometimes within ten minutes. By orchestrating more than 150 security tools through AI agents, it scans, crafts, and delivers exploits on its own. This built-in retry logic allows exploit attempts to continue until successful, massively improving attacker success rates. Threat actors are also using the tool to flag vulnerable systems for resale to other criminals. The tool has already been used to exploit Citrix NetScaler zero days and n-days.